Hi Everyone ,
On 14 September 2019 new regulation for authenticating payments, called Strong Customer Authentication (SCA), will be introduced in the UK as part of the second Payment Services Directive (PSD2).
SCA will play a key role in reducing the level of fraud across the UK by tightening the rules around authenticating our customers when making card payments that don’t need you to enter your PIN. While this new regulation won’t actually protect you from any new types of fraud you weren’t already covered for, it will save the industry as a whole millions of pounds a year!
We can authenticate you by verifying at least two of the following three factors:
- Inherence - something you are, like a fingerprint
- Knowledge - something you know, like your card’s PIN
- Possession - something you have, like your phone
For card transactions that don’t need you to enter your PIN (such as contactless) the regulator has suggested two possible instances where you’d need to prove two of the above:
- When you make 5 payments in a row without entering your PIN
- When you spend £100 without entering your PIN
We want to implement this extra level of security while maintaining the same smooth payment experience you’re all used to, but we need your help testing it!
What exactly will change?
We want to minimise the number of times you need to re-authenticate yourself so we’ve decided to decline based on total spend rather than number of transactions.
That being said, if you think it would be better to re-authenticate based on the number of transactions you’ve made, please let us know why!
For the time being we have set the limit to only £30 to try and gather as much feedback as possible about the new flow. In practice, this means you can make any number of transactions, so long as they don’t sum up to more than £30.
Once you have spent more than £30 since your last authentication you will be required to go through the flow.
For the moment we are only applying the improved security to contactless payments but will soon expand the trial. In the future we’ll likely include other payment types that don’t require PIN verification such as chip and sign.
How would this work in practice?
If you reach your authentication limit and hence have a contactless transaction declined, you will see two feed items in the app.
One will be a regular decline item with information about the transaction and the fact it failed. The other feed item will prompt you to go through the authentication flow and ask you to enter your card PIN into the app. Once you’ve done this you’ll be free to use contactless again!
Alternatively, at any stage you can simply make a chip and PIN transaction and we’ll reset your counter.
At this point the merchant should also request that you put your card into the terminal and use chip & PIN instead!
You will also get a feed item with the specifics of the transaction
If you tap on the notification you should then be promoted to either enter your PIN or identify the transaction as fraudulent
Once you have gone through the PIN entry flow your card will be good to go!
Important things you need to know!
There are a few things that we thought especially important that you know before opting-in:
- TfL and other city transport systems aren’t included so you don’t need to worry about holding everyone up at the barriers!
- Unattended terminals such as those in a car park are also not included
- Apple and Google Pay transactions, also won’t count. If you do end up at a terminal without PIN entry capability, such as a vending machine, you should be able to pay using your phone’s virtual wallet
- If for whatever reason you are unable to authenticate yourself but still have access to your app you can turn the feature off whenever you want. This will return your card to normal behaviour, even if you’ve reached the new contactless limit
- You may find some merchants are confused by the contactless decline and try to suggest you use another card. Unfortunately we can’t educate everyone on this matter so you should be prepared for some odd reactions
- We will be posting updates here so please keep an eye out for future posts !
What kind of feedback are we after?
We are especially looking for feedback on the following things:
- Does the payment terminal do anything weird when your transaction declines? It should simply instruct you to enter your card and enter the PIN but we’d love to hear if you see anything drastically different to this!
- Are there any scenarios in which you are left unable to pay? We very much hope this will not be the case but it is possible and it’s important we find any instances where it can happen
- The flow design is far from finalised and will likely need some fine tuning before general release but it would still be amazing if you could let us know what you think. Does it explain why you are having to authenticate yourself and how you are supposed to do it?
- Would you prefer to have a limit based on the number of transactions you have made rather than the cumulative value of those transactions?
How do I get involved?
We would love it if you could opt-in to our new flow and give us as much feedback as you can muster!
Here are some instructions on how to test the new flow:
Tap on your profile photo on the Home tab.
Scroll down to the bottom of the page and you will see Monzo Labs.
Select Monzo Labs
Toggle Improved Card Security to on and you’re set!
Keep an eye out on this thread for any updates
Let us know what you think below!