Consumers should not be expected to comb through their bank accounts to check for contactless payment fraud months after reporting their card lost or stolen, according to the chairman of an influential committee of MPs.
The Treasury Committee has welcomed a letter from the City regulator outlining steps to combat contactless card fraud.
It follows concerns raised last year by consumer help website MoneySavingExpert.com, which warned that while some accounts are prevented from being raided in this way, in other cases it is left to customers to spot dodgy payments.
MoneySavingExpert said there could be a real risk that fraud is going undetected because people who have cancelled their cards may wrongly assume that means they can no longer be used.
The Treasury Committee has released a letter received from John Griffith-Jones, chairman of the Financial Conduct Authority (FCA) and Payment Systems Regulator (PSR).
The letter says that while the risk of contactless card fraud to consumers is relatively low, representing around 0.5% of overall card fraud, "we agree public confidence could be eroded without further action".
It says issues the FCA is exploring with the industry include removing any onus on customers to identify fraudulent transactions.
It is also looking at improving customer communications at the time of cancelling and providing clarity to customers on the clearing time for contactless payments.
Andrew Tyrie, chairman of the Treasury Committee, said: "As things stand, in order to mitigate the risk of fraud, customers are expected to comb through their bank statements months after they have instructed their banks to block their lost or stolen cards. That seems unreasonable. The Treasury Committee has urged the FCA to sort this out.
"So the package of measures to resolve this problem, which the FCA proposes in their letter to the committee, is welcome."
Committee member Rachel Reeves said: "The security flaws that allow fraudsters to use contactless cards even after they have been cancelled need to be tackled urgently.
"Customers are in the unacceptable situation that they are still vulnerable to fraudulent transactions – despite reporting their cards lost or stolen."
The issue generally lies in contactless card payments being processed in one of two ways – "online" or "offline".
When payments are processed online, the card and payment machine immediately communicate with the customer’s bank. If a lost or stolen card has been cancelled, this will be flagged immediately and a payment not allowed.
Offline payments are stored in batches by retailers and processed online to the bank at a later point, sometimes a few days later with smaller stores. This can allow a thief buying goods on a stolen card to go undetected.
But fraudsters can be tripped up if the contactless card has been used the maximum number of times before a pin is required. The limit before a pin is required varies between card issuers and account types.
Firms may also set a "floor limit" at which payments are forced to go online – meaning anything above a certain amount is checked out immediately with the issuing bank. Some cards may always have to go online.
The letter released by the Treasury Committee says around 45% of contactless card transactions occur offline. It said later this year, Visa will require that almost all Visa contactless transactions in the UK are online authorised.
Given Visa’s large market share, it is likely this will significantly reduce offline processing of contactless transactions, correspondingly reducing contactless card fraud, the letter said.