The tap takes about half a second. In that half-second, a card and a terminal perform a mutual cryptographic exchange, the card computes a one-time code that no eavesdropper can reuse, and a decision is made about who carries the loss if anything goes wrong. The £100 limit that frames every British checkout is the visible edge of that liability machinery, not a measure of how fragile the technology is.
The radio part is the least interesting bit. Contactless uses NFC, a short-range standard running at 13.56 MHz, and the card has no battery: the terminal's field induces just enough current in the card's antenna loop to wake the chip. Effective range is a few centimetres by design, which is why hovering a card in a pocket near a reader almost never triggers a payment and why the "drive-by skimming" scare stories of the early 2010s never translated into meaningful fraud figures.
What travels over that radio link is where the security lives. A contactless card is an EMV chip card — the same standard, run by the consortium behind Visa, Mastercard and the other schemes, that governs chip-and-PIN. The chip holds a secret key that never leaves it and cannot be read out. For each transaction the terminal sends an unpredictable number, and the chip combines it with the amount, a transaction counter and other data to compute a cryptogram — a one-time authentication code. The issuing bank, which holds the matching key, verifies the cryptogram when the transaction arrives for authorisation. Record the exchange and you have captured a code that was valid once, for that amount, at that terminal, and is now worthless. This is the fundamental difference from the magnetic stripe, which handed over the same static data to every reader that asked.
Phones and watches go a step further. When a card is added to Apple Pay or Google Wallet, the real card number is never stored on the device; the scheme issues a substitute called a token, locked to that handset. The terminal sees the token plus the usual one-time cryptogram, so a breached merchant database yields numbers that are useless anywhere else. Crucially, the phone also performs cardholder verification itself — Face ID, fingerprint or passcode — which is why a mobile wallet payment can sail past £100 while the plastic card in the same pocket cannot.
Why £100, and who pays when it goes wrong
The per-tap ceiling is a regulatory judgement, not an engineering one. Contactless launched in the UK in 2007 at £10, crept to £20, then £30, jumped to £45 during the pandemic, and reached £100 in October 2021 when the Financial Conduct Authority amended its rules following the UK's exit from EU limits. Alongside it sits a cumulative control: after roughly £300 of consecutive taps, or a run of five, the terminal demands the PIN. That reset is strong customer authentication doing its job — proving periodically that the person tapping is the person who owns the card, because a tap alone proves only possession.
Possession is the real exposure. A stolen card can be tapped until the cumulative cap bites, and this — not interception, not cloning — accounts for most contactless fraud. The numbers stay modest: UK Finance consistently reports contactless losses at a few pence per £100 spent, a fraction of overall card fraud. And the loss lands on the bank, not the cardholder. Under the Payment Services Regulations 2017, an issuer must refund an unauthorised transaction, generally by the end of the next business day, unless it can show the customer acted fraudulently or with gross negligence. Losing a card is not gross negligence. The £100 limit is best read as the banks' and regulator's answer to the question: how much unverified spending are we prepared to refund per tap?

The gaps in the half-second
One wrinkle is that the tap is sometimes faster than the bank. On London's transport network, TfL's readers cannot wait for online authorisation at the gate line, so they accept the card and settle later — a deferred model in which the merchant shoulders the risk of a declined card. Small offline "floor limits" survive in a few other settings, such as in-flight sales, for the same reason: below a threshold, the terminal approves without asking the issuer, and the acquirer prices in the occasional loss. Above it, everything goes online. The half-second tap, in other words, is not one system but a stack of them — radio, cryptography, regulation and a quiet agreement about who eats the losses — and the limits printed on the shop's card reader are simply where those agreements currently balance.