This is complicated, and depends on the network, country and individual merchants. In order to promote contactless, the networks have, in many countries, granted specific contactless lost/stolen liability shift waiver amounts at or below which a merchant may use no CVM to process a transaction without being liable if a card was lost/stolen. In the UK that’s £30.
Above £30 for contactless, there is a requirement for cardholder verification to be performed. For contact, there is no waiver amount for PIN in the UK (though there is on signature for a chip and signature for at least some networks, but I’m not sure the amounts. I do know starting next year, it will be a global infinite limit for American Express - merchants will never be required to collect signature for chip and signature American Express cards starting next year).
In the US, Visa has a waiver for contact PIN (through VEPS) but Mastercard doesn’t (though they do have a signature waiver). Many shops in the US still don’t ask for PIN though, even on Mastercard, and sometimes (especially for restaurants) even above the Visa waiver level. They do this by modifying the EMV kernel (dynamically in the case of a PIN waiver amount) to remove PIN support so the card has to proceed down the CVM list. If no cardholder verification waiver applies to the transaction, the merchant takes on the risk of doing this in the name of convenience or of protecting their business model (e.g. restaurants that take cards away in the US).
The actual risk for a contactless and a contact transaction are the same as there’s no difference, both are EMV transactions and all the same modes - e.g. online vs offline authorisation, etc can apply to either entry method. The only differences are supported CVMs, and even then only slightly:
- Contactless does not support offline PIN (PIN verified by card, like we use in the UK, instead of by the issuer - this has no relation to offline vs online transaction authorisation).
- Contact does not support CDCVM (consumer device cardholder verification method).
Additionally, for the same reason offline PIN can’t be supported, contactless also can’t support issuer script processing. Issuer script processing is also not possible on contact if the merchant has implemented various ‘quick chip’ solutions, such as Mastercard M/Chip Fast. So far, these are only allowed in the US market, and they serve little point since contactless covers the same need.
Otherwise, all the same basic feature set and security of EMV is identical.
That check was only relevant for offline risk. Online fraud is caught by having you call the issuer and telling them to block the card.