I got it from the article below - not sure anybody is going to admit to any of the security measures though otherwise they wouldn’t be security measures
Im sure ( am I ??? ) patterns would also come in to play where the legitimate user would normally on average make 2 or 3 contactless transactions in a day , to then present 10 or 15 would hopefully draw attention to unusual activity - need to ask for PIN to confirm legitimate usage ???
from the linked article -
“As a security measure, contactless cards demand that a user keys in his or her pin number after a certain number of payments or when a certain financial threshold is met. This is set by the card provider and varies from bank to bank. There is no time limit on the payments, so until it is reached the card can continue to be used.”