Monzo Labs: Improved Card Security

Hi Everyone ,

On 14 September 2019 new regulation for authenticating payments, called Strong Customer Authentication (SCA), will be introduced in the UK as part of the second Payment Services Directive (PSD2).

SCA will play a key role in reducing the level of fraud across the UK by tightening the rules around authenticating our customers when making card payments that don’t need you to enter your PIN. While this new regulation won’t actually protect you from any new types of fraud you weren’t already covered for, it will save the industry as a whole millions of pounds a year!

We can authenticate you by verifying at least two of the following three factors:

1. Inherence - something you are, like a fingerprint
2. Knowledge - something you know, like your card’s PIN
3. Possession - something you have, like your phone

For card transactions that don’t need you to enter your PIN (such as contactless) the regulator has suggested two possible instances where you’d need to prove two of the above:

1. When you make 5 payments in a row without entering your PIN
2. When you spend £100 without entering your PIN

We want to implement this extra level of security while maintaining the same smooth payment experience you’re all used to, but we need your help testing it!

What exactly will change?

We want to minimise the number of times you need to re-authenticate yourself so we’ve decided to decline based on total spend rather than number of transactions.

That being said, if you think it would be better to re-authenticate based on the number of transactions you’ve made, please let us know why!

For the time being we have set the limit to only £30 to try and gather as much feedback as possible about the new flow. In practice, this means you can make any number of transactions, so long as they don’t sum up to more than £30.

Once you have spent more than £30 since your last authentication you will be required to go through the flow.

For the moment we are only applying the improved security to contactless payments but will soon expand the trial. In the future we’ll likely include other payment types that don’t require PIN verification such as chip and sign.

How would this work in practice?

If you reach your authentication limit and hence have a contactless transaction declined, you will see two feed items in the app.

One will be a regular decline item with information about the transaction and the fact it failed. The other feed item will prompt you to go through the authentication flow and ask you to enter your card PIN into the app. Once you’ve done this you’ll be free to use contactless again!

Alternatively, at any stage you can simply make a chip and PIN transaction and we’ll reset your counter.

Screenshots:

Notification.png1125×2436 459 KB

At this point the merchant should also request that you put your card into the terminal and use chip & PIN instead!

You will also get a feed item with the specifics of the transaction

If you tap on the notification you should then be promoted to either enter your PIN or identify the transaction as fraudulent

Enter your PIN : wasnt me.png1125×2436 149 KB

Once you have gone through the PIN entry flow your card will be good to go!

Good to go.png1125×2436 99 KB

Important things you need to know!

There are a few things that we thought especially important that you know before opting-in:

• TfL and other city transport systems aren’t included so you don’t need to worry about holding everyone up at the barriers!
• Unattended terminals such as those in a car park are also not included
• Apple and Google Pay transactions, also won’t count. If you do end up at a terminal without PIN entry capability, such as a vending machine, you should be able to pay using your phone’s virtual wallet
• If for whatever reason you are unable to authenticate yourself but still have access to your app you can turn the feature off whenever you want. This will return your card to normal behaviour, even if you’ve reached the new contactless limit
• You may find some merchants are confused by the contactless decline and try to suggest you use another card. Unfortunately we can’t educate everyone on this matter so you should be prepared for some odd reactions
• We will be posting updates here so please keep an eye out for future posts !

What kind of feedback are we after?

We are especially looking for feedback on the following things:

• Does the payment terminal do anything weird when your transaction declines? It should simply instruct you to enter your card and enter the PIN but we’d love to hear if you see anything drastically different to this!
• Are there any scenarios in which you are left unable to pay? We very much hope this will not be the case but it is possible and it’s important we find any instances where it can happen
• The flow design is far from finalised and will likely need some fine tuning before general release but it would still be amazing if you could let us know what you think. Does it explain why you are having to authenticate yourself and how you are supposed to do it?
• Would you prefer to have a limit based on the number of transactions you have made rather than the cumulative value of those transactions?

How do I get involved?

We would love it if you could opt-in to our new flow and give us as much feedback as you can muster!

Here are some instructions on how to test the new flow:

1. Tap on your profile photo on the Home tab.

2. Scroll down to the bottom of the page and you will see Monzo Labs.

3. Select Monzo Labs

4. Toggle Improved Card Security to on and you’re set!

5. Keep an eye out on this thread for any updates

Let us know what you think below!

I think the limit based on the total amount sounds great. Does the £30 limit reset every 24 hours?

An idea on improving the flow:

Not even sure if this is something Monzo has influence over, but for example in Poland when you process a transaction above their contactless limit you are asked to enter the pin in the terminal.

It would be awesome if you could authenticate by just being prompted to enter you pin in the terminal rather than having to put your card into the card machine first and then enter the pin or use the app for authentication.

From this, it’s a limit. So once you hit £30 since your last auth-via-PIN, you’ll need to enter your PIN again, then it’ll reset and count to £30 again. Unless you use / pay which isn’t part of SCA. Simple enough! I’ve enabled it to see how it affects me, although I use pay most of the time anyway.

Makes sense

We already support this! Unfortunately due to Mastercard rules we can’t do this in the UK

Its a continual limit - you need to re-enter your PIN every (for now) £30

We’d love to do that but UK terminals don’t support (and, indeed, for arcane reasons aren’t allowed to support) contactless and PIN.

Of course the easiest option is to use Google or Apple pay with biometric unlock for which you should never be asked to enter your PIN

/ pay are part of SCA! When you unlock your phone to pay, that counts as SCA, removing the need for PIN entry on the POS terminal.

Whilst this is good for fraud im hoping this isnt as big an ache as it sounds.

Saving grace is apple pay is excluded

Thanks for the clarification That’s how I interpreted it from the first post (device unlock is equivalent to PIN entry), but didn’t communicate it that well in my post

This sounds like a bit of a nuisance to be honest! I know hands are tied but I’d sooner not have to mess around and have stuff declined.

I’m confused now

I usually pay using Android pay but I don’t need to unlock my phone to do so. Does this mean I will still need to authenticate each time I spend over £30? or should I get into the habit of unlocking my phone?

Yeah I agree.

It’s going to be embarrassing in busy queues having your card decline. People always assume it’s through not having enough money.

Then I’m going to fumble around with my phone to find the reason and again to find my wallet which I never carry (because Android Pay) to get my card out and re-attempt.

Can’t blame Monzo though but jeezzz

I put this in the same category as Elf and Shaft you - just another regulation to mess the customer around.

You won’t see declines on the terminal. Android pay keeps track of the SCA limit locally (which will be the full limit the law allows, rather than the £30 limit we’re using for this test). So if you’re getting close, your phone will ask you to unlock using your PIN/Fingerprint on the phone itself.

Is this in reference to entering your PIN on the app, or at a terminal? For example, if I’m frequently using my app to authorize transfers will I ever experience the “declined contactless payment” scenario?

edit: ^^this is poorly worded haha. Does entering your pin in the app reset the £30 limit?

Ahh that sounds good!

Puts the concerns I had here to rest too (if I understand you correctly)

Assuming the limit was five transactions - if this was the case, could there not be a counter in the app that can be reset by loading the app/entering your PIN in the app, which would reset the counter? If people check their balance at least once a day, and do less than five contactless transactions per day, the counter would reset each day with zero declines at terminals?

PIN into a terminal. Limits are tracked per card, and the law requires that the authentication we do proves you still have the card. The goal is make sure that a stolen or lost card can’t be used for an unlimited number of payments.

Unfortunately the EBA (the organisation that responsible to providing guidance and enforcing Strong Customer Authentication) has made it clear we can’t do this.

Hope this is optional as I don’t want to go through the embarrassment of decline when using contactless and revert to pin number, if so I will just use Apple Pay

That is a shame, because it meets the criteria of something you are (touch/Face ID) and something you know (PIN). Assuming biometrics are turned on of course