Nigeria's fintech story has been built on transfers. From USSD to instant bank transfers, Nigerian Fintechs have engineered a system that moves money fast, but not without friction. Network latency, failed sessions, manual input errors, and OTP delays remain embedded in everyday transactions. In high-traffic retail environments, those seconds compound into measurable inefficiency.

Contactless payments, or tap-and-go, promise speed without friction. The market is moving quickly. PalmPay is deploying Cash Africa's contactless infrastructure to roll out tap-to-pay on its POS terminals. Access Bank has partnered with Visa to enable Near Field Communication-based contactless payments via Android devices. Traditional banks such as Sterling Bank, UBA, and Zenith are also exploring integrations. But this is not just a technology story. It is a regulatory one.

As Nigeria advances its cashless agenda, the real question is no longer whether contactless technology works. It does. The more important question is whether our regulatory framework is ready for scale or still designed for experimentation.

This edition of Tech Brief will examine the current regulatory framework for contactless technology in Nigeria, alongside key trends shaping its growth, drawing on regulatory developments across jurisdictions.

The Regulatory Architecture of Contactless in Nigeria

The regulation of contactless payments in Nigeria has evolved in phases. The Central Bank of Nigeria first laid the groundwork with the Framework for Quick Response (QR) Code Payments (2021) and later formalised the space through the Guidelines for Contactless Payments in Nigeria in June 2023 (the "Guidelines").

The Guidelines defines contactless payments as "the consummation of financial transactions without physical contact between the payer and the acquiring devices." This definition is broad, covering everything from NFC-enabled cards and mobile wallets to wearables and QR code payments.

Key Stakeholders and Obligations

The Guidelines identify 11 participants in the contactless payment ecosystem:

Acquirers : These are CBN-licensed banks or financial institutions that enable merchants to accept contactless payments. They must ensure that their devices and applications are certified by CBN and ensure that linked accounts have valid Bank Verification Numbers (BVNs). In effect, they sit at the merchant-facing end of regulatory accountability.

: These are CBN-licensed banks or financial institutions that enable merchants to accept contactless payments. They must ensure that their devices and applications are certified by CBN and ensure that linked accounts have valid Bank Verification Numbers (BVNs). In effect, they sit at the merchant-facing end of regulatory accountability. Issuers: These are CBN-licensed institutions that provide customers with contactless instruments such as cards, wallets, or wearables. Importantly, Issuers must not activate contactless features on a customer's account without authorization. Users must have the option to opt in and opt out at any time.

These are CBN-licensed institutions that provide customers with contactless instruments such as cards, wallets, or wearables. Importantly, Issuers must not activate contactless features on a customer's account without authorization. Users must have the option to opt in and opt out at any time. Payment Schemes: Payment schemes provide a network that allows banks and merchants to "talk" to one another securely.

Payment schemes provide a network that allows banks and merchants to "talk" to one another securely. Card Schemes: They maintain interoperability, ensuring cards work across the various terminals across Nigeria.

They maintain interoperability, ensuring cards work across the various terminals across Nigeria. Switching Companies: The real-time infrastructure layer. They facilitate the data "handshake" between issuer and acquirer that authorizes a tap in seconds.

The real-time infrastructure layer. They facilitate the data "handshake" between issuer and acquirer that authorizes a tap in seconds. Payment Terminal Service Providers (PTSPs): They are the technical custodians responsible for the physical life cycle of the payment hardware you see in stores. They are responsible for device integrity, software updates, and security patch management.

They are the technical custodians responsible for the physical life cycle of the payment hardware you see in stores. They are responsible for device integrity, software updates, and security patch management. Payment Terminal Service Aggregators (PTSA): They act as a central "traffic controller" and quality gatekeeper for POS) transactions.

They act as a central "traffic controller" and quality gatekeeper for POS) transactions. Merchants: In the contactless ecosystem, Merchants are the supermarkets, cafes, fuel stations, and vendors where the "tap" actually happens. Merchants are to clearly display the contactless symbol and are obligated to confirm the transaction amount with the customer before the "tap" occurs.

In the contactless ecosystem, Merchants are the supermarkets, cafes, fuel stations, and vendors where the "tap" actually happens. Merchants are to clearly display the contactless symbol and are obligated to confirm the transaction amount with the customer before the "tap" occurs. Terminal Owners: Includes issuers, acquirers, merchants, or PTSPs. To prevent accidental taps or "electronic pickpocketing," contactless devices must be configured to function only within a 2cm range of the terminal. This will minimize the risk of "skimming" (where bad actors try to intercept data from a distance)

Includes issuers, acquirers, merchants, or PTSPs. To prevent accidental taps or "electronic pickpocketing," contactless devices must be configured to function only within a of the terminal. This will minimize the risk of "skimming" (where bad actors try to intercept data from a distance) Customers: End-users must protect their devices and provide secondary authentication for transactions exceeding the prescribed limit.

Key Compliance Requirements

Transaction limits: Nigeria caps contactless payments at ₦15,000 per transaction and ₦50,000 per day. This is a noticeably more conservative stance than the US, where there is no federal cap and limits are largely determined by banks and card networks. In the UK, the Financial Conduct Authority has also shifted to a bank-determined model from March 2026, removing the previous £100 ceiling. In Nigeria, transactions above the thresholds are not declined but may require a second-level authentication (Two-factor Authentication/2FA), such as a PIN, biometric scan, or an OTP (One Time Password). It is a cautious design; convenience for small spends, controls for everything else. Compliance Standards: Operators handling or storing customer data must meet strict global and local security benchmarks and maintain valid certifications at all times. At a minimum, systems should comply with:

Payment Application Data Security Standard (PA DSS)

Payment Card Industry PIN Entry Device (PCI PED)

Payment Card Industry Data Security Standard (PCI DSS)

Triple DES, (with the triple DES algorithm being the minimum standard).

Advanced Encryption Standards (AES)

EMV (Europay, Mastercard, and Visa) global benchmark standards

ISO 27001 – Information Security Management System

ISO 14443 specifications for identification cards, contactless integrated circuit cards, and proximity

All required scheme certifications for contactless cards and terminals

Any other standards that may be issued by the CBN from time to time

Infrastructure and interoperability: Acquirers and issuers are required to remain neutral. All transaction-accepting devices deployed in Nigeria must be issuer- and brand-agnostic. Contactless-enabled terminals cannot be configured to promote or favour one card scheme over another. Data localization: All domestic contactless payments must be routed through a Nigerian switch and not outside of Nigeria. This keeps local data within national borders and aligns with existing data localization requirements. Accessibility requirements: To include persons with visual impairments and other disabilities, all contactless devices and instruments must display the contactless symbol, tactile graphics, and the words "contactless payments" in Braille. Ongoing Reporting Requirements: All participants have mandatory periodic reporting requirements. In the case of fraud, breach, or a security incident, the CBN wants to know about it immediately.

Future-Proofing the Framework: What We Can Learn from Global Shifts

Nigeria's contactless framework is a strong foundation. However, foundations are not the same as scale. If adoption is the goal, the next phase must move from containment to calibration. The regulators could:

Make Limits Dynamic, Not Static: Fixed thresholds age quickly in an inflationary economy. The UK progressively raised its cap before ultimately removing it, with the Financial Conduct Authority shifting to a bank-led model. Nigeria does not need to replicate that approach wholesale, but a periodic review mechanism, tied to inflation or purchasing power, would keep limits commercially relevant. Introduce Risk-Based Flexibility: As fraud detection systems improve, regulators can differentiate. Issuers and Acquirers with demonstrably strong fraud monitoring should be permitted higher thresholds. Regulation should reward risk maturity. Let Consumers Set Their Comfort Zone: Not every customer has the same risk appetite. Allowing users to adjust their own contactless limits within regulated parameters could increase adoption while preserving control. Align Supervision with Data Intelligence: Globally, regulators are leaning on real-time fraud analytics rather than rigid caps. As transaction monitoring improves, policy can gradually shift from prescriptive ceilings to surveillance-backed flexibility.

The Strategic Outlook

Nigeria is in a transitional phase. Terminals need upgrading. Merchants need education. Consumers need confidence. But the regulatory fundamentals are in place. The real lever now is adaptability.

Whether contactless becomes niche convenience or default retail infrastructure will depend on supervisory adaptability, infrastructure investment, and consumer education. Five years from now, cash may be the exception, transfers the baseline, and contactless the everyday standard. The regulatory posture today will determine the speed of that transition.

