How Contactless Payments Work: NFC, RFID, and What Your Card Is Actually Transmitting

· By The Secret Trends
How Contactless Payments Work: NFC, RFID, and What Your Card Is Actually Transmitting

Every time you tap your card or phone at a checkout terminal and see that little checkmark appear within a second, a surprisingly sophisticated chain of wireless communication, cryptography, and banking infrastructure has just completed itself — silently, invisibly, in under 500 milliseconds. Understanding how contactless payments work is not just a technical curiosity. It helps you make informed decisions about when and where to use them, what risks are real versus overblown, and why the financial industry has standardised on this approach over the last decade.

This guide breaks down the full picture: the difference between NFC and RFID, exactly what your card broadcasts, how that data is protected, and what the genuine security considerations look like in 2026.

RFID vs NFC: Understanding the Difference

The terms RFID and NFC are often used interchangeably in casual conversation, but they describe different things. Getting this distinction right is the starting point for understanding contactless card technology.

RFID (Radio-Frequency Identification) is a broad family of wireless communication technologies that use radio waves to transfer data between a tag and a reader. RFID operates across a wide range of frequencies:

  • Low Frequency (LF): 125–134 kHz — used in animal microchips, older access cards
  • High Frequency (HF): 13.56 MHz — the frequency used by payment cards and transit passes
  • Ultra High Frequency (UHF): 860–960 MHz — used in retail inventory tags and supply chain tracking

NFC (Near Field Communication) is a specific subset of HF RFID. It operates exclusively at 13.56 MHz and is defined by a set of international standards (ISO/IEC 14443 and ISO/IEC 18092) that govern how devices discover each other, negotiate a connection, and exchange data. The key distinction: NFC is a two-way, peer-to-peer protocol. Both devices — the card and the terminal — can send and receive data. Classic passive RFID tags, by contrast, only broadcast; they cannot initiate a dialogue.

When people ask about NFC vs RFID in the context of payments, the practical answer is: your contactless credit or debit card uses NFC-compliant protocols built on top of HF RFID hardware. The chip in your card is a passive NFC tag — it has no battery and draws its operating power from the electromagnetic field emitted by the payment terminal.

Modern contactless payment terminal used for NFC tap-to-pay transactions
A modern NFC-enabled payment terminal. The reader emits a 13.56 MHz field that powers the passive chip in your card. Photo by Jakub Zerdzicki on Pexels

How Tap-to-Pay Works: A Step-by-Step Breakdown

Understanding how contactless payments work at a process level reveals why the system is both fast and robust. Here is what happens between the moment you tap and the moment the terminal approves your transaction.

Step 1 — Field Detection

The payment terminal continuously emits a low-power 13.56 MHz electromagnetic field extending roughly 4 cm from its antenna. When you bring your card (or phone, or watch) within that range, the inductive coil inside the card harvests enough energy from that field to power the embedded chip.

Step 2 — Card Selection and Anti-Collision

If multiple NFC-capable cards are in range simultaneously — say, several cards in a wallet — the terminal runs an anti-collision protocol defined in ISO/IEC 14443. Each card has a unique identifier (UID) and the terminal cycles through a selection process to activate exactly one card at a time. This is why you are generally advised to remove the card you want to use from a multi-card wallet before tapping.

Step 3 — Application Selection

Once the terminal has selected a card, it sends an Application Protocol Data Unit (APDU) command asking the card to list its available applications. Your card responds with a list of Application Identifiers (AIDs) — for example, the Visa Contactless AID or the Mastercard Contactless AID. The terminal picks the appropriate one for the network it supports.

Step 4 — Cryptographic Transaction Authorization

This is the critical step and the most misunderstood. The card and terminal execute the EMV (Europay, Mastercard, Visa) contactless kernel — a standardised protocol that generates a unique, one-time cryptogram for this specific transaction. The card's secure element (a tamper-resistant chip) uses a private key, the transaction amount, a transaction counter, and a random number provided by the terminal to compute this cryptogram. The private key never leaves the card.

Step 5 — Authorisation and Clearing

The terminal packages the transaction data — including the one-time cryptogram — and sends it to the acquiring bank, which forwards it through the card network (Visa, Mastercard, etc.) to your card-issuing bank. Your bank verifies the cryptogram using its own copy of your card's cryptographic keys, checks your available balance, and returns an authorisation code. This entire round-trip typically takes 200–400 milliseconds over modern payment networks.

Customer using tap to pay contactless card at a retail store checkout
The entire tap-to-pay process — from field detection to authorisation — completes in under half a second. Photo by Kampus Production on Pexels

What Data Does a Contactless Card Actually Transmit?

This is one of the most searched questions around tap to pay security, and one of the most misrepresented in online discussions. Here is a precise answer to what data a contactless card transmits during a legitimate transaction.

The data exchanged during an EMV contactless transaction includes:

  • A truncated Primary Account Number (PAN): Typically only the last four digits of your card number are included in the data sent to the merchant. The full PAN may be present in some fields but is protected by the cryptogram.
  • Card expiry date
  • A one-time Application Transaction Counter (ATC) — a sequential counter unique to each transaction
  • A one-time cryptogram (ARQC) — the dynamic authentication value computed for this specific transaction
  • Transaction amount and currency
  • Terminal verification results

What is not transmitted: your CVV2/CVC2 (the three-digit number on the back of the card), your full name, your billing address, or your PIN. The cryptogram is mathematically tied to the exact transaction amount — it cannot be replayed for a different amount or at a later time.

Older contactless card implementations (pre-EMV, roughly pre-2012) did sometimes expose more data in the clear, including static card numbers that could theoretically be captured and used for online transactions that did not require dynamic authentication. Modern EMV contactless cards address this through tokenisation and dynamic cryptograms.

Tokenisation: The Layer Most People Miss

When you add a physical card to Apple Pay, Google Pay, or Samsung Pay, the system does not store your real card number on your device. Instead, the card network generates a Device Primary Account Number (DPAN) — a token that represents your real card number but is specific to that device and cannot be used elsewhere. Your real card number is called the Funding Primary Account Number (FPAN) and stays with the card network.

This means that even if someone were to intercept the NFC data from a smartphone payment — which is already extremely difficult given the 4 cm range requirement — they would capture a token tied to one device, plus a one-time cryptogram that has already expired. There is nothing actionable to extract.

Real Security Risks vs Myths

Every few months, a new viral post claims that criminals are walking through shopping centres with homemade RFID readers, silently draining bank accounts through clothing and bags. This narrative is almost entirely myth, but there are some nuances worth understanding when assessing tap to pay security.

The "RFID Skimming" Myth

For an RFID or NFC read to occur, the reader must be within approximately 4 cm of your card. In a real-world crowd scenario, achieving this covertly is genuinely difficult. More critically, even if someone did capture your card's NFC response, the EMV cryptogram they would receive is valid only for one specific transaction at one specific amount. Card networks reject repeated use of the same ATC counter. A captured cryptogram has essentially zero value for committing fraud on your physical card.

The scenario where "skimmed" contactless data could be misused is older non-EMV implementations, or specifically crafted relay attacks targeting contactless transactions — but these are sophisticated, expensive attacks that are far easier to execute against other attack surfaces (phishing, data breaches) and not a documented pattern of widespread card fraud.

Unintended Transactions

A more realistic minor inconvenience: accidentally triggering a payment when your wallet or bag passes close to an active terminal. Most modern terminals require the merchant to initiate a transaction first — the terminal does not charge an amount until the cashier has entered it and activated the field for a read. Passive "always-on" readers are not standard in retail environments. Still, keeping NFC cards in shielded wallets or sleeves is a reasonable precaution for people concerned about accidental reads.

Genuine Risks Worth Knowing

The actual fraud risk landscape for contactless payments is dominated by things that have nothing to do with the wireless protocol itself:

  • Card-not-present fraud: Your card number being used for online purchases after a data breach — this is the dominant fraud vector globally and is unrelated to NFC/RFID.
  • Lost or stolen physical cards: Before a lost contactless card is reported, a finder can make small transactions (most issuers cap no-PIN contactless at £100/€50/$100 depending on region).
  • Compromised payment terminals (hardware skimmers): Physical devices installed on the terminal itself, targeting the magnetic stripe or chip reader — again, not the NFC component.
Woman using smartphone NFC tap to pay at payment terminal
Smartphone-based NFC payments add an additional layer of security through device-bound tokenisation — your real card number never leaves the card network. Photo by Anna Shvets on Pexels

How the Standards Work Together

It is worth naming the standards bodies that govern how all of this fits together, because they explain why contactless card technology is as interoperable and consistent as it is across hundreds of different card issuers and thousands of terminal manufacturers.

  • ISO/IEC 14443: Defines the physical and data-link layer for proximity cards (the radio communication itself)
  • ISO/IEC 18092 (ECMA-340): The core NFC standard governing peer-to-peer communication modes
  • EMVCo: The consortium (owned by Visa, Mastercard, Amex, JCB, Discover, UnionPay) that defines the application-layer protocols — the contactless kernels that run on top of the ISO radio layer
  • PCI DSS: Payment Card Industry Data Security Standard, which mandates how card data must be encrypted and handled by merchants and processors

When a card manufacturer builds a chip, a terminal manufacturer builds a reader, and a bank issues a card, all parties are building to these overlapping standards. This is why a card issued in Japan works flawlessly at a terminal in Brazil — the underlying cryptographic handshake is identical regardless of geography or brand.

The Speed-Security Tradeoff in Contactless Limits

One deliberate design choice worth understanding: most countries cap contactless-without-PIN transactions at a relatively low amount (commonly $100–$200 in Australia and Canada, £100 in the UK, €50 in much of Europe). Above that threshold, the terminal requires chip-and-PIN or chip-and-signature.

Some terminals also implement cumulative contactless transaction limits — your card issuer may require you to insert and enter your PIN after a certain number of consecutive contactless transactions, or after the total of those transactions exceeds a defined amount. This is a fraud-containment mechanism designed to ensure that a stolen card cannot be used indefinitely for small purchases without ever triggering PIN verification. You may have noticed this if your card occasionally refuses a small contactless purchase and prompts for chip-and-PIN instead.

Frequently Asked Questions

Can someone steal my card details by walking past me with a reader?

In practice, no. Even if someone managed to get within 4 cm of your card and capture the NFC response — which is physically awkward in public — they would receive a one-time EMV cryptogram valid only for that specific transaction amount. Modern EMV contactless cards do not expose static data that could be replayed for new transactions.

Does my contactless card transmit my name and address?

No. During a standard EMV contactless transaction, your name and billing address are not transmitted. The data exchanged includes a truncated card number, expiry date, and a one-time cryptogram. Your full card number is present in some data fields but is not sent to the merchant — only to your card's authorising bank via the secure payment network.

Is paying with my phone more secure than tapping my physical card?

Generally yes, for one key reason: smartphone-based NFC payments (Apple Pay, Google Pay) use tokenisation — a device-specific token number, not your real card number, is used in the transaction. This token is also bound to biometric or PIN authentication on the device itself, adding a second factor that your physical card does not have.

Do RFID-blocking wallets actually protect contactless cards?

RFID-blocking wallets do physically attenuate the 13.56 MHz signal and would prevent a card from being read while inside. Whether this is necessary given the security properties of modern EMV contactless cards is debatable — the practical fraud risk from NFC skimming is very low. That said, they do no harm, and some people prefer them for peace of mind, particularly when travelling with multiple payment cards.

Why does my contactless card sometimes ask me to insert and use my PIN?

This is a deliberate fraud-prevention mechanism. Your card issuer programs a cumulative contactless transaction limit (by count or total value). Once you hit that threshold, the card requires chip-and-PIN to confirm that you — and not someone who found your card — are the one making the purchases. After a successful PIN entry, the contactless counter resets.

Key Takeaways

Understanding how contactless payments work demystifies a technology that most people use daily but rarely think about. Here is a concise summary of what we have covered:

  • NFC is a specific subset of HF RFID operating at 13.56 MHz, standardised for two-way, short-range communication between devices and readers.
  • The tap-to-pay process involves field detection, anti-collision, application selection, and cryptographic authorisation — all in under 500 milliseconds.
  • What your card transmits is a one-time cryptogram, a truncated card number, and transaction metadata — not your name, address, CVV, or PIN.
  • Tokenisation in smartphone-based NFC payments adds an additional layer: your real card number is never sent to the terminal or the merchant.
  • RFID skimming from a distance is largely a myth for modern EMV cards. The genuine fraud risks — card-not-present fraud, physical theft, data breaches — come from elsewhere.
  • Cumulative contactless limits are a deliberate, automatic fraud-containment mechanism built into your card's firmware, not a technical glitch.

The next time you tap your card and walk away in under a second, you now know exactly which standards, protocols, and cryptographic mechanisms made that happen — and why it is more secure than it might appear to the casual observer.