Contactless payment has gone from novelty to default in just a few years. Most new US credit cards arrive with the contactless symbol on the front, and almost every modern point-of-sale terminal supports it. The technology is misunderstood often enough that some cardholders still avoid it, worried about being skimmed from across the room or charged by accident. Most of those concerns are myths. The actual safety story is that tap-to-pay is one of the more secure ways to use a card in person, and understanding why takes only a few minutes.
How NFC and Contactless Actually Work
The technology behind contactless cards is near-field communication, or NFC, a short-range radio standard that operates at 13.56 megahertz with a working range of about one to two inches. The reader sends a low-power radio signal that wakes up a small chip in your card. The chip responds with a payment cryptogram generated specifically for that transaction. There is no exchange of your actual card number in clear text. Each tap produces a different cryptogram, which means even an intercepted signal is useless for a second purchase.
Mobile wallets add an extra layer. When you load a card into Apple Pay or Google Wallet, the wallet receives a device-specific token instead of the actual card number. That token is what your phone sends when you tap. The merchant never sees your real card details, and even the token is bound to that one phone. If you lose the device, the token can be killed remotely without canceling the underlying card.
The Per-Tap Limit and Why It Matters
In the US, contactless transactions above a certain threshold are supposed to require a second factor like a signature, a PIN, or a biometric on a phone. The common threshold for a no-verification tap is around 100 dollars, though issuers and merchants can configure their own ceiling. Above the limit, the terminal prompts for additional verification just like a chip transaction does.
The limit reduces the worst case if a card is lost or stolen. Someone with your physical card can only run small contactless transactions before the terminal forces a second factor, and those small charges show up immediately in your alerts. The same dynamic does not apply to mobile wallet transactions because those already require a biometric or passcode at the moment of payment, so the per-tap limit is effectively higher with a phone than a card.
The Drive-By Skimming Myth
An enduring worry is that a thief with a hidden NFC reader can walk by you on the subway and silently charge your card. In practice, this attack barely works. The range is too short, the cardholder usually has to actively present the card to a reader for the transaction to complete, and even if a thief succeeded once, the resulting transaction goes to a merchant account that can be traced and reversed.
RFID-blocking wallets address this concern, and they do block the signal. They are inexpensive and not harmful, so if they give peace of mind they are fine to use. From a pure risk standpoint, though, far more fraud happens at compromised online merchants and physical skimmers on magnetic stripes than from drive-by NFC reads. The much more useful precaution is enabling transaction alerts in the issuer app so any unexpected charge surfaces within seconds.
When Tap-to-Pay Is the Best Choice and When It Is Not
Default to contactless when the terminal supports it. At a coffee shop, a grocery checkout, a vending machine, a transit gate, or any retail point of sale, tap is faster, the cryptogram protects you, and the merchant never handles your raw card data. If you use a mobile wallet, you also get the device-level biometric requirement, which removes the per-tap limit risk almost entirely.
The places where tap-to-pay is still less common in the US include outdoor gas pumps, older parking meters, and small independent retailers running legacy terminals. There, you are stuck with chip insert or magnetic stripe. Treat magnetic stripe as the last resort. If the only reader available is magnetic, ask whether there is a chip terminal inside the store. For online purchases, of course, contactless does not apply. Online card-not-present transactions rely on different protections like 3D Secure verification, tokenized wallet checkouts, and virtual card numbers from your issuer.
