A concern if the meeting is next week to talk about testing when the implementation deadline is the end of the month!
Easily confused, with the pandemic ongoing, who knows what year it is any more?!
1 Like
I used to work on the payment system at Amex, btw. 
So, Amex is SUPER relaxed with its risk/fraud rules. What do I mean? They will go around approving transactions like there is no tomorrow and skipping authentication when possible.
Why?
- Because itâs a credit card - which means higher interchange fees (specially in the US), which means more revenue from transactions. So they have the motivation to push forward as many transactions as possible.
- A lot of the Amex demographics are quite wealthy and not necessarily patient having to go through additional steps to make payments. When payments are of high value, Amex doesnât want to miss that chance
In terms of fraud liability, if Amex doesnât challenge the customer, it takes all the liability. That means if someone steals your Amex card and buys a helicopter without being challenged, itâs all paid by Amex. I suppose they have gathered the liability payouts is smaller than interchange fees from challenging too often
8 Likes
That game doesnât play with the same demographics we have.
As a UK debit card, interchange fees arenât amazing (and in fact are capped in the EU).
Our risk appetite is smaller (ie, we donât have the capital to go payout helicopters because we didnât challenge a customer), unlike Amex who has been profitable for decades.
8 Likes
So, I have a card with each top UK fintech and an Amex. Iâve used them mostly to figure out the challenge thresholds and risk appetites from each bank.
Ie. I made a transaction at each of them, with always increased amounts to see when they eventually challenge me. Itâs a fun exercise of reverse-engineering their fraud rules
9 Likes
So how many helicopters do you have, now?
9 Likes
Looks at myself at not even 20.
I love the looks when I pull it out and I get asked how I got it on my average income at my age.
Built my credit score, they are a lot less picky than they used to be. (I actually told them slightly less than my income is)
Iâm not the typical amex customer and yes sometimes it may just be like, Iâll use another card then and amex have the funds to foot the bill if anything goes wrong.
1 Like
Let me ask my manager if I can expense that. âI promise itâs for workâ
Funny story, I tried to convince my manager to let me expense a trip to visit one of our team-mates who lives in Spain.
No luck 
7 Likes
Whitelisting is something permitted by MasterCard and PSD2/SCA, though purely up to the issuer to manage how they see fit. It would be good to see this exposed perhaps as an interface in the app if implemented.
MasterCard state:
Q: I regularly shop at a specific retailer - will I have to verify my identity and payment every single time in the future?
A: It is up to the Issuer bank to decide whether to take advantage of the exemptions that PSD2 allows, e.g. offering Cardholders to build a âwhitelistâ of trusted retailers where you do not always have to authenticate yourself. They might also decide to add individual rules around what retailers or products and services qualify for a âwhitelistâ or if only payments below a certain threshold do not require additional authentication at whitelisted retailers.
2 Likes
Yeah, the EBA has that opinion. Itâs an exemption called Trusted beneficiaries and recurring transactions
From what I can remember here, the customer has to explicitly whitelist the merchant - like the Amex model, but not our existing âautomatic whitelistâ
4 Likes
Yes, of course. VISA have a scheme it seems where they will let the customer select the option to whitelist and pass this on to the issuer when making the first payment. Iâd imagine MasterCard will have (or has) something similar.
Personally, I donât mind the 3DS prompt when implemented well and wouldnât likely whitelist anyone as I personally feel it undermines the security somewhat. But each to their own.
2 Likes
The Amex method is also quite good as the fact you have to make a purchase once before whitelisting helps ensure you arenât whitelisting the wrong merchant by accident - and the interface makes it simple, as all you have to do is click on the retailer you want whitelisted and itâs done.
I imagine something similar could work very elegantly in the Monzo app.
I also have to agree that I donât find 3DS a burden myself, but I do think that some implementations have been poor in the past and led to confusion (especially amongst the less technologically literate who might just think the transaction isnât working).
On balance, though, I think itâs better to always have 3DS as simply using the CVC (or even not bothering with that like Amazon) is so horrendously insecure! The âproblemâ, in my view, has been poor implementations rather than the concept of 3DS itself being a problem.
1 Like
Thatâs actually a requirement, so good to know theyâre compliant. 
3DS isnât the end of the world when implemented well. Perhaps itâs just me, but I want to know when a merchant is making a charge and clicking to approve on a notification isnât overly burdensome.
Oh I didnât know that!
Agree with you 100% on making it more difficult, not easier, for people to make charges on my account too. I can see some people struggling with this if traditional high-street names donât improve their processes though. Hopefully, the SCA changes will force their hand to move to a better implementation.
1 Like
As someone who has dealt with a lot of European legislation in my time (and it might just be a matter of semantics) it worries me slightly when you refer to a Regulation as somebodyâs opinion.
I also trust you did not rely on the EBA document when coding your system as it included the draft text
of the legislation not the version which made it onto the statute books.
I havenât compared the two fully but they are subtly different.
2 Likes
Perhaps itâs breaking the law in âvery specific and limited wayâ?
Maybe international law will mean nothing by the end of the year and Monzo are ahead of the curve (or theyâve implemented the law as is). Who knows? 
In reality we end up reading a lot more Mastercard manuals than EBA regulations. They translate these into more technical terms regarding the data we send and receive.
So our team doesnât have to get dirty with the raw legislation, unless there are inconsistencies
7 Likes
Makes sense as I think the EBA would have trouble if either of Mastercard or Visa wrote manuals that werenât compliant!
Itâs reasonable to assume that Mastercard will have âdone their homeworkâ already and made sure they are giving correct advice which brings everybody into full compliance.
2 Likes
From a corporate perspective, implementing whatever MasterCard says and then blaming them seems a reasonable strategy.
1 Like