I just did my first contactless nfc payment with a MasterCard. It worked very well and was quite delightful - definitely want to be doing more of these in future. I think people will come to expect this kind of no-friction payment experience and Bitcoin will need to match it, so here are some notes on what's involved.
There are two aspects that can be implemented independently of each other:
1) The physical/NFC layer.
2) The risk analysis layer.
A contactless payment needs two things to work: one is a VERY fast, low latency communication between payment device (phone in our case) and terminal. I couldn't find actual latency specs yet but it felt like using an Oyster card, which aims for <400msec.
The other is that obviously the payment device has to decide to sign the transaction without any user interaction, i.e. the payment is at low risk of being unintentional. If you nail this it can be used for one-click web payments too.
Andreas already did some work on embedding full blown payment requests into an NFC tag, but I think we need to switch this to being a packet based protocol (via ISO-DEP), otherwise you can't submit the Payment/tx messages back via NFC as well. This isn't a very complicated task and would make a fun project for a newbie who has Android and knows some Java. The resulting ISO-DEP protocol can be turned into a BIP without too much trouble.
The risk analysis is the more complicated part. The real value Visa/MasterCard provide with NFC payments is not so much the tech (the clever part is the batteryless nature of the cards rather than the crypto/comms), but the fact that merchants are all verified and can be fined or evicted if they abuse the system and try to steal money. Bitcoin doesn't have anything like that.
I think we have a few options to make it safe:
1) Require some very lightweight user confirmation, like pressing the power button to reach the lock screen and only allowing small payments. The combination of physical proximity and pressing the power button is probably good enough for now to avoid problems. Someone should try it out and see how it feels.
2) Have some kind of semi-centralised merchant verification/approval programs, like what the card networks do. The easiest way to start would be to piggyback on the work BitPay/Coinbase do and just auto-sign if payment amount is <X mBTC and the payment is via one of these processors. But this is hardly in the spirit of Bitcoin and is generally unsatisfying.
3) Have some kind of decentralised reputation network. I spent some time thinking about this, but it rapidly became very complicated and feels like an entirely separate project that should stand alone from Bitcoin itself. Perhaps rather than try to make a global system, social data could be exchanged (using some fancy privacy preserving protocols?) so if your friends have decided to trust seller X, your phone automatically trusts them too.
4) Have the touch trigger a delayed payment and the phone tries to attract attention to itself so the user can cancel. This way if someone tries to swipe money out of your pocket by getting up close on a subway or something, you have a chance to cancel. But it's quite hard for a small device to reliably attract attention quickly and it opens up the merchant to fraud where the user pays, leaves and then cancels the payment. Especially it'd be useless for things like mass transit. So I think such a system would have to be opt-in by the seller.
5) A combination of all the above.
To get the very fast light feel the actual contact period has to be quite short, so I bet we'd need to optimise the bootup process of the Android wallet app. Right now it does slow things like deserialising giant protocol buffers and is just generally not optimised for startup time. Loading the wallet, reading the payment request over NFC, checking the cert signatures, making the trust decision, calculating a transaction, signing it, sending it back to the recipient all in under 400 msec would be a tough (but fun) programming challenge. Some of the steps can be parallelised and modern phones are mostly multicore.