The City regulator has set out measures to tackle fraudulent payments on contactless cards which have been reported lost or stolen. In a letter to the Treasury select committee, published on Thursday, the Financial Conduct Authority (FCA) said consumer losses on contactless payments were relatively small but in some circumstances cards could be used by a fraudster several months after it had been cancelled.

MoneySavingExpert said there could be a real risk that fraud is going undetected because people who have cancelled their cards may wrongly assume that means they can no longer be used.

In his letter to the committee, the FCA chair, John Griffith-Jones, said it was urging banks to remove “any onus on customers to identify fraudulent transactions”. It was also considering technical fixes as well as providing customers with more clarity on clearing times for contactless payments.

Griffith-Jones pointed out that contactless fraud represented only about 0.5% of overall card fraud. But he conceded: “We agree public confidence could be eroded without further action.” Experts say the true level of losses may be higher.

Committee member Rachel Reeves, the Labour MP who questioned the FCA about the problem in January, said: “The security flaws that allow fraudsters to use contactless cards even after they have been cancelled need to be tackled urgently. Customers are in the unacceptable situation that they are still vulnerable to fraudulent transactions despite reporting their cards lost or stolen.”

Andrew Tyrie, chair of the Treasury committee, welcomed the FCA’s letter. He said: “As things stand, in order to mitigate the risk of fraud, customers are expected to comb through their bank statements months after they have instructed their banks to block their lost or stolen cards.

How can this fraud happen?

When payments are processed online, the card and payment machine immediately communicates with the customer’s bank. If a lost or stolen card has been cancelled, this will be flagged and payments forbidden.

Offline payments are stored in batches by retailers and processed online to the bank at a later point – at some smaller stores this can be a few days later. This delay can allow thieves to go undetected.

But fraudsters can be tripped up if the contactless card has been used the maximum number of times before a pin is required. The limit before identification is required varies between card issuers and account types.

Firms may also set a limit after which payments are forced to go online, meaning anything above a certain amount is checked immediately with the issuing bank. Some cards may always have to go online.

For more information about our work, please visit www.safeinwarwickshire.com/cybercrime

Cyber Aware is a cross-government campaign, funded by the National Cyber Security Programme. They aim to measurably and significantly improve the online safety behaviour and confidence of consumers and small businesses (SMEs).

Get Safe Online is the UK’s leading source of factual and easy-to-understand information on online safety. Their website offers advice on how you can protect yourself, your computers and devices, and your business against the likes of fraud, identity theft, viruses and other potential online problems