SCA (Strong Customer Authentication) changes & contactless


I’ve got an email from my (not-Monzo) bank that they “will be making contactless payments more secure”, and concretely, “After you make five contactless payments in a row (or once your payments have totalled £135) you’ll be asked to enter your card in the machine and enter your PIN.”.
They say that they have to do this because of the Payment Service Directive II regulation / Strong Customer Authentication.

I know a bit about SCA, I know that payment providers like Stripe have to implement it and it means that when e.g. credit card details are stored, they need to make sure that the customer is really the customer, and from time to time there might be a confirmation necessary by authenticating again.

But my question is now: Does the “Payment Service Directive II” really mandate that for contactless payments you now have to put card & PIN every fifth transaction? This would make contactless payments kind of useless and I have a hard time believing that. I more feel like the regulations are probably indeed getting stricter in some abstract way but my bank is overdoing it here.

Does Monzo plan to (have to?) do something similar? If they did not, that would be a significant argument for me to switch to Monzo (hence I am posting this on these forums).
Contactless payments are so convenient, and if you have to put the card into the machine every freaking fifth time, that just made contactless payments so much less useful and convenient.
For that reason, I can’t really believe that these regulations would mandate such a strong requirement for contactless payments, and I am guessing my bank might be overdoing it here (all in the name of security)…?

Yes and Monzos is £35 less than Starlings set at £100. All banks have to meet the 150 euro max limit before checking again.

The workaround is use your phone to tap and pay and it doesn’t apply.

It’s on par with the cookie popups on websites with things that should never have been implemented. Complete idiots running the show.

Hi there @JohnZ :wave:

You can read about our SCA plans here:

One important clarification is that right now, these changes are relevant to contactless payments made using the card, but not Apple Pay or Google Pay. These changes are regulatory - so compliance is not optional.

It’s an EU directive

Do you know if the new biometric debit cards that NatWest are trialing are excluded from this too.

Something the Monzo could offer?

1 Like

Hi, thanks a lot for that link.
That blog post does not say that you’ll have to insert card & PIN every fifth/x-th time. It only talks about the £100 limit.
Does that mean Monzo does not/will not implement a rule like “you have to insert the card & PIN every x-th transaction”? Only the £100 limit?

Thank you.

SCA requires two out of three requirements - 1) physical possession of card, 2) insert/PIN, 3) biometric authentication. So as a layman, I would guess that 1) and 3) would satisfy SCA and with a biometric card you’d never need to enter the PIN for SCA reasons, if your bank plays along.

1 Like

it’s every 5 transactions or £100 spent as per the legislation

The legislation is actually per £135 but Monzo have chose to split that into £100 online and the rest offline payments (online in this case being card present and instant authorisation)

1 Like

And unfortunately there are still people out there with phones who do not have NFC… :slight_smile: Not everyone spends >£200 on a phone. (Yes there are phones <£200 with NFC but at the time when I bought mine, they were otherwise not too good.)

It’s going to fun for merchants after the 14th with all the rejected payments to deal with, they have no clue the reason why the card failed but you’ll see it appear in app that it’s due to needing to confirm identity again.

They’ll get used to it pretty quickly


Yep, this is my understanding of the legislation also. I’m not super close to this though, so I’d defer to @amelia for more detail.

That’s too bad then… I think the EU is a good thing in general but a “hard-limit” like this is really stupid.
Do you have the link handy to the page/line in the regulation that explicitly states this, by any chance?

The rules state 150 euro contactless payments thought they don’t worry about counting offline in the spec. So I don’t know why Monzo bothered.

The odd thing is £135 now is more than 150 euro. In the other thread it’s at a fixed conversation rate.

1 Like

I imagine it’s due to the data they have available about customer usage

Yep it’s fixed for now but can be changed if exchange rates change more over a long period of time. Although by then we probably wont be subject to EU legislation


Yeah so its article 11 which has the statements, I can’t find any docs on how that 150 got set at 135, was that just Starling thinking that’s about right. There doesn’t seem to be additional on how this rule applies in other currencies and at what fixed rates?

It’s probably in an FCA document

Starling have set it as their limit and the people implimenting it for monzo say it’s an industry agreed figure, so it’s in some legislation or communication somewhere

For non-Euro transactions, the payment service providers (PSPs) and card schemes should convert EUR thresholds as required under Articles 11, 16, 18 of Commission Delegated Regulation (EU) 2018/389 into non-Euro currency thresholds, using the average ECB reference exchange rate. In practice, PSPs and card schemes may wish to keep the threshold in Euros.

Rounding of the threshold amount in non-Euro currency could only be done if the threshold in the other currency is rounded to a value, which is unlikely to breach the EUR threshold in the Delegated Regulation, based on the ECB reference exchange rate information. Any such rounded amount may require adjusting from time to time. For example, the EUR 50 threshold for remote payments would be equivalent to a UK sterling threshold of £44.50 as of 12 September 2018; the lowest it would have been over the previous 12 months is £43. So if the UK sterling threshold was rounded down to £40, it would likely always comply with the EUR 50 threshold for the period given in this example (September 2017 – September 2018).


Cheers for the link.

@simonb do you know the reason why Monzo didn’t go with the £135 like your Teal friends?

By having it below £120 does that mean you’ll only get three successful £30 taps and the fourth will bust?