Monzo Labs: Improved Card Security

:cry:

@thomas Will an Apple Pay transaction reset the counter? If not, is this something within your power to implement or is it prohibited by the regulations? Thanks.

No - as has been stated, the physical card is an essential element of the counter reset. The point is to verify that you’re in possession of the card and you’re the authorised user. While an Apple Pay transaction does the latter, it doesn’t do the former.

If you only use Apple Pay, though, that won’t count towards the counter as I understand it.

1 Like

Curious how this will work in the US where it is not unusual for chip transactions to not require a PIN. I’m travelling at the moment and have enabled it.

As the transactions are outside of the EEA we don’t need to apply SCA to them. We’re currently refining our code to detect these transaction properly. Mastercard doesn’t make it super easy.

6 Likes

UK merchant’s terminals (and a few other countries - France, Ireland, Iceland come to mind)

It’s largely an accident of history. There are two ways a terminal can verify your PIN:

  • “Offline PIN verification”, where the card verifies the PIN. This is what UK cards prefer, and all non-obsolete UK terminals support. (This can be used for offline transactions)
  • “Online PIN verification”, where the issuer verifies the PIN. This is what many cards from other parts of Europe support, also what all ATMs use, and what needs to be used for contactless-and-PIN (as the card is no longer present when the PIN is entered and verified)

Which a region prefers tends to depend upon how the card networks evolved in that country:

  • Regions where magstripe & sign used to be common often adopted offline PIN; this was an easier migration as the issuer doesn’t need to start storing card PINs (Interesting note: with some magstripe only cards the PIN is stored encrypted on the magstripe and verified by the network)
  • Regions where magstripe & PIN used to be common often adopted online PIN (becuase they were already using online PIN). Lots of cards from these regions don’t support offline PIN at all.

Terminals from the offline PIN regions aren’t required to support online PIN, and aren’t permitted to support it on the contactless interface; probably this was partially because of an industry decision to encourage mobile wallet payments

10 Likes

Sorry to be blunt, but this sounds completely awful - a real affront to usability, and a huge step backwards. I don’t want to have transactions frequency fail when paying with contactless, and to have to keep a running total in my head so I’m semi prepared every time it fails. I know that this is in labs only at the moment, but it smells very much like it’s going to end up in they main app in a mandatory fashion.

The original post pitches this as somehow beneficial for the users, but it’s not; it sucks for users. It’s only beneficial for Monzo.

That is because it is the law. It is not Monzo deliberately making things awkward.

8 Likes

Yes, but there are, as stated, some sub options, and perhaps there are others not stated. Additionally, the tone of “this is great for you guys!” is pretty patronising, given that it’s nothing of the sort.

1 Like

It’s £30 for the trial which you don’t have to take part in. £100 will be the ‘limit’ when it rolls out to everyone.

3 Likes

That makes some sense. I used to live in Sweden, and they had online PIN verification at point of sale for years before EMV chips came along. On the other hand, terminals in Germany also support contactless & PIN, and Germany barely had card payments historically, never mind online POS PIN verification - so that one feels kinda stranger.

A couple of clarifying questions:

Surely they were already storing card PINs for ATM PIN verification? Do you mean that they didn’t need to start doing online verification at point of sale?

But regardless of whether they support it, such cards, when used in a market like the UK, will not get a contactless & PIN experience, since the terminals here don’t support it, correct?

Conversely, UK issuers can presumably support contactless & PIN in ‘supporting markets’ should they wish to, and, indeed, Monzo already does this if I understood a previous answer correctly? Or is this not really a specific configuration on the issuer side - if the terminal supports contactless & PIN, and the card supports online PIN verification, contactless & PIN will work?

1 Like

i have turned this on and am happy to test.
most UK banks already do this, and the big difference is Monzo are telling us the limits/trigger to insert card for PIN

the terminal normaly beeps twice instead of once so you know
A - its not read your card properly
B - you need to put card in for PIN.

in most cases the limit is high so customers do not get affected as after a few
small transactions you do a big one (over £30) us PIN - card counter resets and the customer is none the wiser…

Great. Anything to reduce the amount of verification would be fantastic.

They sure seem to. It’s happened to me once or twice when abroad recently in the EU.

1 Like

Ok, I want to block offline pin transactions!!! And require online pin verification everywhere.

I thought the 14th September deadline had been extended by 18 months as per:

For the UK at least…

The extension is for e-commerce transactions only.

7 Likes

This is one thing that’s pained me from the start with Monzo and other ‘new’ banks. Contactless and card transactions take longer to authorise than what I was/am used to. With my HSBC card it’s literally instant for the majority of reasonably priced transactions without an authorisation wait.

Apple/Google Pay has the authorisation delay regardless of Card bc they’re forced online too.

Super noticeable on old terminals which seem to dial to authorise.

It’s a choice we made to enable real-time notifications, otherwise we only get informed of the transaction a few days later.

We think the extra control and security customers get from notifications is worth the trade-off of slightly slower contactless transactions.

30 Likes

Ugh… this is such a PITA even with a £100 limit. It just reminds me of a solution to help legacy banks which dont have things like real time notifications to alert you to unauthorised purchases.
I know you guys dont have a choice but the thought of having to use a pin every £100 is a proper pain as we regularly use contactless just under the £30 limit.

2 Likes