Digital Wallets and Contactless Payments: Security Guide for Internationally Mobile Individuals

For internationally mobile professionals, digital wallets have become the default payment mechanism in daily life: tapping to pay on the London Underground, paying for a restaurant in Singapore, settling a supermarket bill in Dubai. The technology is fast, convenient, and — in many ways — more secure than the physical card it replaces.

However, convenience and security are not the same thing. Understanding precisely how digital wallet security works, where the genuine risks lie, and how to manage multiple devices across multiple jurisdictions requires a more careful look than most users apply.

Important: App features, security settings, and payment acceptance vary by device, operating system version, and jurisdiction. Always verify current security settings directly with your device and app providers.

---

The Digital Wallet Landscape

Bank and Device-Linked Wallets

Apple Pay (iPhone, Apple Watch, iPad, Mac): Links to debit and credit cards from participating UK and international banks. Works via NFC for in-store payments and online. Used by hundreds of millions of people globally.

Google Pay (Android): Similar functionality to Apple Pay on Android devices. Works with NFC and online.

Samsung Pay: Android-based, works with both NFC and (on some older devices) a magnetic secure transmission (MST) technology that mimics a magnetic stripe — useful in locations where NFC terminals are not available.

Fintech Wallet Providers

Revolut: A multi-currency digital wallet with its own IBAN, debit card, and a full UK banking licence (Revolut Bank UK exited the regulator's mobilisation phase and launched as a fully licensed UK bank in March 2026, having first been granted a restricted banking licence in July 2024). The Revolut app contains a digital wallet that can be added to Apple Pay or Google Pay.

Wise: Primarily a currency transfer service, but the Wise card and app function as a multi-currency digital wallet. Can be added to Apple Pay/Google Pay.

PayPal: A global e-money institution. Strong for online payments and peer-to-peer transfers. Less commonly used for in-store NFC payments.

---

How Digital Wallets Work: The Underlying Technology

NFC (Near Field Communication)

In-store digital wallet payments use Near Field Communication: a short-range (up to 4cm) radio frequency technology that transmits payment data between the device and a payment terminal. The communication is brief, directional, and requires close proximity — the device must almost touch the terminal to complete a payment.

Tokenisation: The Core Security Mechanism

The most important security feature of digital wallets is tokenisation. When you add a card to Apple Pay or Google Pay, the actual card number (the 16-digit PAN — Primary Account Number) is not stored on the device and is not transmitted during a payment. Instead, the device is assigned a Device Account Number — a token — which is unique to your device and card combination.

When you make a payment:

1. The device generates a transaction-specific dynamic cryptogram (a one-time code).
2. The token and cryptogram are transmitted to the payment terminal.
3. The terminal sends this to the card network (Visa, Mastercard).
4. The network's tokenisation service maps the token back to your actual card number and verifies the cryptogram.
5. The payment is authorised.

At no point is your actual 16-digit card number transmitted. If a payment terminal is hacked or the merchant's systems are breached, the attackers obtain only a used token — which cannot be replayed (the cryptogram is one-time only) and cannot be reversed to reveal your actual card number.

This is architecturally more secure than a physical card swipe, where your actual card number is transmitted and (in older systems) stored by the merchant.

---

Security Controls on the Device

Biometric Authentication

Before your device releases a token for payment, it requires biometric authentication — Face ID (Apple) or fingerprint recognition (Apple, Android). This means:

• A thief who steals your phone cannot use Apple Pay unless they can replicate your face or fingerprint.
• The "tap and pay" functionality for small amounts (the UK contactless limit was a mandatory £100 until the FCA removed the fixed cap on 19 March 2026, allowing banks with strong fraud controls to set their own limits — though many retain £100 in practice) requires biometric verification on most devices, unlike a physical contactless card which requires no authentication below the contactless limit.
• Biometric authentication is stored locally on the device (in the Secure Enclave on Apple devices, in the Trusted Execution Environment on Android) — it is never sent to Apple, Google, or your bank.

Device-Level Encryption

The Device Account Number and payment credentials are stored in a dedicated hardware security chip (the Secure Element). This is physically separate from the main processor and cannot be accessed by other apps or by the device's operating system. Even if malware is installed on the phone, it cannot extract the payment credentials.

Remote Lock and Wipe

If your device is stolen:

• Apple: Use Find My iPhone (iCloud) to lock the device immediately. This automatically suspends all Apple Pay transactions on the device. You can also remove all cards from Apple Pay via iCloud without accessing the device.
• Google: Find My Device allows the same remote lock and payment suspension.
• Both Apple Pay and Google Pay transactions are automatically suspended on a device that has been reported lost via the carrier SIM lock, even if the device has not been wiped.

---

International Use: What Works Where

Digital wallets work wherever NFC payment terminals are present. Acceptance is very high in:

• United Kingdom, Ireland, Western Europe
• Singapore, Hong Kong, Australia, New Zealand, Japan
• United States (growing rapidly, near universal in urban areas)
• UAE (Dubai, Abu Dhabi: high acceptance)

NFC acceptance is lower or inconsistent in:

• Parts of Southeast Asia (Thailand, Indonesia, Philippines: improving but variable)
• Cash-dominant economies (parts of MENA, Sub-Saharan Africa, South Asia)
• Some smaller merchants in otherwise developed markets who have not updated terminals

Currency Conversion in Digital Wallets

The exchange rate you receive depends on the underlying card or account in your wallet:

• Revolut or Wise: These use the interbank exchange rate (with a small markup, if any, during peak hours). Using Revolut or Wise via Apple Pay for overseas spending is typically the most cost-efficient currency conversion available.
• Visa or Mastercard debit/credit cards linked via Apple Pay/Google Pay: You receive the Visa or Mastercard daily wholesale rate, with your bank's foreign transaction fee applied on top. This is generally better than dynamic currency conversion at a terminal but worse than Revolut or Wise.
• American Express in Apple Pay: Amex rates apply. Amex typically has good headline exchange rates but a foreign transaction fee unless you hold a premium Amex with no FX fee.

---

Specific Risks for Internationally Mobile Users

Shoulder Surfing and Device Theft

The primary real-world risk in digital wallet fraud is social engineering around device access. The attack pattern: a distraction (a bump, a question, pointing at something) allows an accomplice to observe the user unlocking their phone. With the device PIN observed, the thief can unlock the device, disable Face ID temporarily, and attempt to add their own face or enroll their own biometric. Modern iOS (17+) and Android (14+) have additional protections for this scenario, but ensuring your passcode is complex and not visible when entering it remains good practice.

Immediate action if device stolen: Lock Apple Pay or Google Pay remotely before attempting to locate or wipe the device. Payment suspension is faster and more targeted than a full device lock.

Relay Attacks

A relay attack involves two devices: one near the victim, one near a payment terminal. Device A amplifies the NFC signal from the victim's contactless card or device; Device B presents this amplified signal at a payment terminal. The transaction completes without the victim's knowledge.

This attack is more relevant to physical contactless cards (which have no biometric requirement for small amounts) than to digital wallets (which require biometric authentication on the device for every transaction on most modern phones). For physical cards carried alongside a digital wallet, an RFID-blocking wallet or card sleeve prevents relay attacks — worth using as a backup precaution.

Public WiFi Risk

For app-based payments (in-app purchases, online payments via mobile browser), the risk vector shifts from NFC to the internet connection. Using public WiFi for financial transactions — even with HTTPS connections — introduces risk: SSL stripping attacks, rogue access points, and man-in-the-middle scenarios.

Best practice: use mobile data (4G/5G) rather than public WiFi for any financial transaction on a phone. Most modern data plans include sufficient international data for this to be practical.

Multiple Device Management

An internationally mobile professional may have Apple Pay or Google Pay configured on a phone, a tablet, a laptop, and a smartwatch. Each device needs to be independently managed:

• Review all devices that have a particular card added periodically.
• Remove cards from devices you no longer use.
• If any device is lost or stolen, remove cards from it immediately via the card issuer's app or website — this is faster and more targeted than reporting to Apple or Google.

---

Best Practice Summary

• Enable biometric authentication for all digital wallet payments.
• Keep your device passcode complex and private — it is the backup to biometric and the key to the castle.
• Use Revolut, Wise, or a no-FX-fee card for overseas transactions.
• Lock digital wallet payments remotely immediately on device theft.
• Use RFID-blocking sleeves on physical contactless cards as a backup precaution.
• Never use public WiFi for financial transactions — use mobile data.
• Audit which devices have access to your payment cards quarterly.

---

How Global Investments Can Help

Global Investments advises internationally mobile professionals on structuring their banking and payment arrangements efficiently across multiple jurisdictions. Whether you are a frequent traveller optimising day-to-day payment costs, or an HNW client reviewing the security arrangements on your family's multiple devices, our team can help you assess your current setup and identify improvements.

For clients making significant international property or investment transactions, the considerations go well beyond digital wallets — we can help you structure the full financial architecture of your international life.

This guide is for general educational purposes only. Security features, app capabilities, and regulatory frameworks change continuously. Always verify current settings and seek advice specific to your circumstances.