Things that it seems others will be concerned about are Article 11(b):
Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates a contactless electronic payment transaction provided that the following conditions are met: the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of strong customer authentication does not exceed EUR 150; or
I’m concerned with the bits that are widely open to interpretation as it gives a lot of leeway. e.g. Article 2(2):
typical of the payment service user
and
abnormal use of the access device or the software
Also in Article 18(2):
abnormal location of the payer;
high-risk location of the payee.
Many of the issues can be effectively overcome with an appropriate interpretation of Article 18(3):
the previous spending patterns of the individual payment service user
This section is also key to variable implementation:
Where, on the basis of the real-time transaction risk analysis, a payment cannot be qualified as posing a low level of risk, the payment service provider should revert to strong customer authentication. The maximum value of such risk-based exemption should be set in a manner ensuring a very low corresponding fraud rate, also by comparison to the fraud rates of all the payment transactions of the payment service provider, including those authenticated through strong customer authentication, within a certain period of time and on a rolling basis.
There can (and will) be a lot of variation in how these terms are used in practice (not equivalent of the exemption threshold value table in the annex).
This is specifically why I asked about prior examples of interpreting legislation and why it would be helpful to hear Monzo’s proposal in more detail regarding terms such as this in the instrument @Roxy
Only that you’ll have to enter your PIN when you add Monzo to a new device
Side note; it’s threads like this that actually make me want to stop using this forum it’s a change in the law, Monzo has to abide by it and are doing so in the most minimalistic way they know how. Yet there’s people who still want to argue about it? Give me strength.
I mean you literally came onto the forum to say that, which is a bit amusing
Yeah, some responses here seemed a bit obtuse or deliberately awkward, but nuking the whole thing from orbit seems massive overkill
Maybe just mute this thread and move on?
6 Likes
phildawson
(Sorry, I will have to escalate this.)
90
I for one am pleased they don’t rage quit like Starling, and can feel ok about making posts in their forum and their own customers disagreeing.
Although we represent a tiny ~1.5% of the millions, I wish they would listen more to forum users and respond more, even if its to say ‘nope, like it or lump it’.
I don’t think they have enough dedicated forum staff to cope now. feels like @simonb with @Rika on technical Qs are doing everything a lot of time.
Otherwise its like a dumping ground of angry customers with no solutions and a feeling of having no impact in shaping the product they love and use.
Its worth Monzo adding more forum staff imo, and will help them spot issues that affect the non-forum customers. As a current example like the chat times where the first reply is quick in minutes and then days between following replies that Monzo still haven’t officially acknowledged is an issue, which isn’t going to be winning them any favours. It feels like they are being pressured into hitting certain response time stats by their team leaders, but then fuck the follow up replies because they aren’t reported or being targeted.
I use Google Pay all the time at supermarkets. On two occasions (out of hundreds) the self service machine has rejected Google Pay and asked for chip and pin instead.
In all honesty I thought the way I have Monzo app configured would be the default way everyone has it set. Why would you NOT enable the requirement to auth on every load for a banking app.
Pretty certain it will, aren’t the PIN authentication systems in the app setup to allow Biometrics as an alternative? You can use Face ID wherever you’d normally need your PIN.
Pretty much the first thing I did after installing the Monzo app was enable fingerprint auth and require it every time I open the app. It really isn’t intrusive.
Hopefully I’ll never be asked to enter my PIN because that’s nowhere near as secure as my fingerprint.
I’m surprised so many people in this thread have the app set up to not require authentication. Sure, my phone is normally locked and needs authentication to unlock, but to add extra security for my banking app was a no-brainer. Perhaps I’d feel differently if I used a handset without fingerprint reader. Personally I err on the side of caution with banking anyway so I think the changes seem quite sensible.
My phone is always locked unless I’m using it, and it’s only out of my sight if it’s in my pocket or on the side in my room.
It also has a 25-character screen lock password (I use Face ID). Noone is gaining access to my phone unless I want them to, so why add extra locks to the apps?