There is a possible way for a general purpose NFC reader to read the full card number and expiry details when the device is in locked screen mode due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Google has calculated a high severity for this vulnerability.
From what I’ve seen here the vulnerability exposes card number and expiration details. I don’t know enough about NFC payment authorization to confidently confirm, but I’m not sure what other information would constitute an authorization
From @[email protected]: