Monzo Labs: Improved Card Security

Yeah >£30 on my phone usually requires my swipe code or fingerprint but then it goes through fine. Hope they don’t start doing that for <£30 too as cashiers always think it’s me doing something wrong when it doesn’t work the first time!

We technically have a £130 limit. But this is made up of two parts, a £100 online limit plus a £30 offline limit.

Our card have the ability authorise up to £30 of offline payments via contactless before forcing you to do Chip & PIN transaction. This gets used in places with no internet connection such as planes or even some busses.

Because they’re offline the card has no way of knowing what your online usage is, and equally the Monzo servers have no way of knowing your offline usage.

To solve this, and to ensure we always do SCA before you hit the limit written in law, we split the limit in law (~£130) into two chunks. The £100 online and £30 offline.

Here we only talk about the £100 online limit because that’s the one that really counts. Almost all Monzo contactless payments are online (because our cards always ask to do online payments so we can do real-time notifications). So you’re basically guaranteed to hit that limit first, you would have quite a bit of effort into using the entire £130 limit.

This is an initiative from the EU to reduce the rates of fraud across the entire payments industry, no bank or merchant would choose to do this.

Ultimately customers end up paying for all the fraud losses in the industry via higher fees etc. So yes to start with this will primarily reduce a banks fraud losses, but in the longer run it will reduce the cost of banking for all.

For Monzo other aspects of SCA are just levelling the playing field, we already did the things SCA requires, now our competitors will have to do the same. This gives us a moment to shine by showing that security doesn’t need to be onerous.

Top explanation

Thank you very much

Would you anticipate this “£100” limit potentially changing from time to time to ensure that the fixed £30 plus the other value stays under €150?

Was £130/£135 itself fixed in UK law, or is €150 at current £?

Thanks again

It’s €150. UK banks agreed a reasonable exchange rate and are all using give or take the same number to avoid too much customer confusion. It will be adjusted if there is a significant change in the value of the pound.

Thanks a third time!

Loving the information

So if someone only used their monzo account for offline payments they’d need to find somewhere to do a chip and pin payment after they’d used £30? Would they get a warning in app before that?

I know this is very much an edge case scenario

Yes. But you would struggle to do this in the real world. As a general rule most terminals are not allowed to be offline, unless there is a good reason (such as being on a plane or train).

And no you wouldn’t get a warning in the app. It’s an offline payment, which means Monzo only gets told about it a few days later.

Yes. I know. I never suggested it was the bank’s initiative. Fraud within the sector is a big problem.

What if you tried to buy >£30 worth of stuff on a plane? Would it just decline?

You can’t spend more than £30 using card contactless anyway. You’d be asked to use Chip and Pin (I presume)

I suspect offline payments ‘bypass’ the enforced contactless tap & contactless spend limits and work as normal. By the time the offline payment is processed, it’s too late to enforce anything. You’ve already left the airport with your 400 B&H and 2 bottles of Glenmorangie

PS> I don’t smoke and rarely drink Whiskey

PPS> On a recent RyanAir flight , I bought wine on board and paid contactless. This appeared in the Monzo account about an hour after we’d landed. The wine was shocking.

This is already (and has always been) the case!

We’ve seen the odd user tripped up by it; we’ll be looking into better alerting you when your offline limit is depleted (we can see what its at whenever a transaction authorises online, but can only reset it when you do chip+pin because only then are we able to communicate back to the card)

If you go above £30 offline contactless cumulative limit, the card already declines in a way which asks the terminal to request you insert your card. The cards have a separate offline limit for contact payments.

(Terminals are used to this and the behaviour is pretty good there. It’s the new process where our processor asks to step up to PIN which we’re seeing problems with. Specifically, terminals aren’t supposed to interpret this as a decline but are supposed to ask you to insert and retry - similar to if you got your PIN wrong)

When legislation like this gets transposed into UK law, a fixed exchange rate is picked - the rate is around £135 right now, so that’s what was chosen.

If the GBP:EUR exchange rate changes substantially while we remain an EU member state, the limit may need adjusting. This happened in late 2016 for the FSCS limit - that’s specified as €100k in EU law, which was transposed as £75k originally. The value of the pound relative to the euro declined, so it got bumped up to £85k.

Google Pay has always worked like this - if your phone is locked, it behaves like a normal contactless card, so the terminal will ask you to unlock if your payment is over £30 or if you’ve done too many contactless transactions without unlocking.

Thanks. I’m new to Google Pay, so still getting to grips with it. My phone was unlocked and it still asked me to authenticate, so I guess I had done too many transactions without unlocking!

Your phone also needs to have been unlocked recently; so e.g. if you’ve had your phone open for 10 minutes and go to tap it, you might be asked for your fingerprint again

I’ve still never seen google pay work through a locked phone. Not a problem… I naturally tap my finger on the back to unlock when pulling the phone out anyway. Not sure I’d want it to work to be honest.

Me neither - security all the way preferred

I never unlock my phone, or previous phones I’ve had, for Google Pay unless over the £30 limit. For under the limit just turning on the screen is sufficient.

Hey everyone.

Thanks so much for helping us test this - it’s really helped us smooth out some issues, and build confidence to roll out further.

We’re now rolling this out gradually to all users, in order to meet the SCA regulation. As a result, we’ve removed the toggle from Monzo Labs - and it is no longer possible to opt-out.

Some changes we’ve made since putting this in Labs

• We’ve updated the contactless limit from the initial £30 that helped us test quickly, to £100
• We’ve also updated the introduction message we send people to explain that Apple Pay and Google Pay aren’t affected.

We’re also working on a clearer and more integrated fallback flow for cases where you can’t retry with Chip & PIN, and are exploring ways to suggest people use Chip & PIN before they reach their limit, to avoid contactless declines.

and are exploring ways to suggest people use Chip & PIN before they reach their limit, to avoid contactless declines.

Would it be worth starting to warn via a notification or feed item when the user gets to £70>, i.e. £100 -£30 (Max contactless).