CIMB Reassures Customers on Security of Contactless Cards

19 January 2017

CIMB Bank Berhad (“CIMB” or “the Bank”) would like to reassure its customers that the Bank’s contactless debit cards are safe and not susceptible to electronic pickpocketing. This is in relation to social media reports on certain apps being able to “pick up” data from contactless cards. The following is a Q&A on this issue:

Would the account linked to my contactless debit card be charged if a fraudster places a contactless card reader in close proximity to the debit card in my wallet (electronic pickpocketing)?

• Safeguards are in place to prevent unauthorised use of the intercepted card security details. Each contactless transaction includes a unique code that changes with each purchase, which can only be used once and can only be generated by the chip in your original contactless card. This prevents a counterfeit card from being produced and used from the intercepted card security details.

Could a fraudster steal my contactless debit card and use it to empty my account?

• Your account is protected. Each contactless transaction (i.e., transactions by waving or tapping your contactless card on the contactless card reader) is limited to RM250.
• All transactions above RM250 require a signature or pin currently. After 1 July 2017,  the six-digit PIN must be entered to approve such transactions.
• There are also fraud controls in our system that would detect and deal with the unauthorised transactions based on a certain logic set by the Bank.

Could I unknowingly have made a purchase via my contactless debit card if I walk past a contactless card reader?

No. Your contactless debit card has to be waved within 4cm or tapped at the contactless card reader and the merchant must have first entered the transaction amount for you to approve.

Is there a chance that payments may be taken twice if I accidentally wave or tap my contactless debit card twice at the contactless card reader?

No. The contactless terminal can only process one transaction at a time. Even if your contactless debit card is accidentally tapped more than once, you will only get billed once for the transaction, since merchant cashier has to enter the transaction amount for every card contactless transaction.

What happens if I have more than one contactless card in my wallet and I tap my wallet on the contactless reader?

•  If you hold your card up to a reader and you have any other contactless payment cards nearby, the reader might detect more than one card and the transaction will not go through. You will need to do the transaction again.
• You should make sure you take the relevant card out of your wallet and only hold one card on the reader to do a contactless transaction.

We would like to remind our customers that it is very important that they keep their card and PIN secure. Here are some ways for customers to protect themselves:

• DO NOT use numbers for PIN that are associated with you, such as your birthdate, telephone number or IC.
• DO NOT keep a written record of your PIN in phone or on a paper.
• DO NOT allow another person to see your PIN when you enter it. Hide the Pinpad with your other hand while keying in the PIN.
• DO NOT disclose your PIN to anyone including family members or persons in apparent authority.
• DO notify your card issuer immediately if your card is lost or stolen. CIMB will immediately block the card and it cannot be used by another person, both for contactless or contact transactions.
• Please DO change your PIN on CIMB clicks or calling the bank if your PIN has become known to someone else.
• Please DO review your account periodically and inform CIMB if you detect any unauthorized transactions.

We would like to reiterate that contactless transaction is a way to speed up the payment process at merchants for smaller ticket items, like in developed markets e.g., Australia. However, if a client is uncomfortable with the contactless function, they can call the CIMB call center on the number on back of the card and the function can be disabled for the specified debit card.