So yeah - don’t worry, from that date onwards everyone must be on 3DSv2.
We are ready now, just waiting for everyone to catch-up.

I guarantee you not everyone will be ready by then though.

Amazon for e.g. still don’t seem to do it at all!

This is always true with any change, hopefully this time it will be considered a final date and not pushed again.

If anything, with people shopping online more than ever, this change can’t come soon enough!

Well done to you and the team at Monzo on getting the process fully compliant and prepared for Monzo customers though.

Looks like Amazon do have the infrastructure for this as they have a help article for it maybe it just hasn’t been pushed to all users.

https://www.amazon.co.uk/gp/help/customer/display.html?nodeId=GVVYMGYFHWPU7MFD

One thing I did notice is that when I pay using my credit card, without fail I’ll get a loading screen with a spinning circle on it. It completes the order after a few seconds, but I don’t have this when I use my monzo card

Maybe they’re doing a gradual release to find/fix problems. Perhaps whether a transaction goes through method A or B is based on if some digit of the catd number is above a threshold value.

You say that, but I have a meeting with Amazon’s Head of UK Payments next week, as they are interested on testing 3DSv2 and SCA rules with us.

They have already been testing with other issuers.

Also, I predict Amazon will not be happy with the SCA changes. Say goodbye to “one-click buy”

Yeah it’s a pain but I can see why it’s there

Amex let you add websites to a whitelist which is pretty nice

Will one-click buy still be possible if it is either the low-value reputable retailer exemption or added to a whitelist?

I personally would like everyone to adopt the Amex whitelist approach too.

Yeah, there are a few tricks we can apply, which we will definitely explore in the future.

With 3DSv1 we do this. If you shop at a site, we won’t challenge you on that site again (apart from a few exceptions/rules).

Unfortunately we are not allowed to do it with 3DSv2 for SCA purposes. I’m not sure how Amex does it right now and we’ll have to revisit the regulations to see if we could do something like that again

From my perspective as a user with Amex, it appears to work on a kind of pre-authorisation system.

Once you have shopped at a retailer once, you will see it as an option to add to your Express List. I don’t know how it works from a legal perspective, but if you do this your purchases are never checked through the Amex Safekey flow again - it seems they are automatically approved. I suppose this is on the basis that you have made prior approval for any and all transactions at the retailer, so you accept the risk of authorisation?

I am not sure how it affects liability shift rules or what exactly would happen with Amex if you later, coincidentally, suffered an incidence of fraud at the retailer on the Express List. I expect the onus would be on Amex as having approved the transaction and so a chargeback might not be possible, and you as a customer may even have to end up paying as you have, in a sense, accepted the risk?

I expect Amex would be generous about this, though, if it clearly wasn’t you.

A concern if the meeting is next week to talk about testing when the implementation deadline is the end of the month!

I think @arthur-ceccotti said September 2021.

Easily confused, with the pandemic ongoing, who knows what year it is any more?!

I used to work on the payment system at Amex, btw.

So, Amex is SUPER relaxed with its risk/fraud rules. What do I mean? They will go around approving transactions like there is no tomorrow and skipping authentication when possible.

Why?

• Because it’s a credit card - which means higher interchange fees (specially in the US), which means more revenue from transactions. So they have the motivation to push forward as many transactions as possible.
• A lot of the Amex demographics are quite wealthy and not necessarily patient having to go through additional steps to make payments. When payments are of high value, Amex doesn’t want to miss that chance

In terms of fraud liability, if Amex doesn’t challenge the customer, it takes all the liability. That means if someone steals your Amex card and buys a helicopter without being challenged, it’s all paid by Amex. I suppose they have gathered the liability payouts is smaller than interchange fees from challenging too often

That game doesn’t play with the same demographics we have.

As a UK debit card, interchange fees aren’t amazing (and in fact are capped in the EU).

Our risk appetite is smaller (ie, we don’t have the capital to go payout helicopters because we didn’t challenge a customer), unlike Amex who has been profitable for decades.

So, I have a card with each top UK fintech and an Amex. I’ve used them mostly to figure out the challenge thresholds and risk appetites from each bank.

Ie. I made a transaction at each of them, with always increased amounts to see when they eventually challenge me. It’s a fun exercise of reverse-engineering their fraud rules

So how many helicopters do you have, now?

Looks at myself at not even 20.

I love the looks when I pull it out and I get asked how I got it on my average income at my age.

Built my credit score, they are a lot less picky than they used to be. (I actually told them slightly less than my income is)
I’m not the typical amex customer and yes sometimes it may just be like, I’ll use another card then and amex have the funds to foot the bill if anything goes wrong.

Let me ask my manager if I can expense that. “I promise it’s for work”

Funny story, I tried to convince my manager to let me expense a trip to visit one of our team-mates who lives in Spain.

No luck

Whitelisting is something permitted by MasterCard and PSD2/SCA, though purely up to the issuer to manage how they see fit. It would be good to see this exposed perhaps as an interface in the app if implemented.

MasterCard state:

Q: I regularly shop at a specific retailer - will I have to verify my identity and payment every single time in the future?
A: It is up to the Issuer bank to decide whether to take advantage of the exemptions that PSD2 allows, e.g. offering Cardholders to build a ‘whitelist’ of trusted retailers where you do not always have to authenticate yourself. They might also decide to add individual rules around what retailers or products and services qualify for a ‘whitelist’ or if only payments below a certain threshold do not require additional authentication at whitelisted retailers.