Strong Customer Authentication: Using Chip and PIN more often when making contactless payments

If you look at the Tweet content and dates I don’t think these are real customers having SCA related issues.

The Barclays/Lloyds tweet is just someone enquirying about it on the 15/16 September of when it will come into play and getting a generic copying the speil from the info page.

I am a customer of Lloyds so happy to physically test this. I’ve asked on their chat to give me an official statement too when it’s coming into play or if it is already and what the limit is.

The HSBC is inconclusive it’s actually SCA that caused that person’s decline. I think we would be seeing tweets in the thousands with people complaining (at least for a short period whilst people adjust to knowing what’s happening and why) when it is actually implemented not just one guy.

I’m just trying to establish clear evidence that it is actually implemented. We have another Monzo customers in the forums with legacies that could try putting through more than £135 on the card via contactless payments and seeing if they get a declined.

I’m confused about what’s happening here. There is a law - it might be a good law or a bad law, but it’s, erm, The Law - which Monzo has implemented in good faith and (in my view) elegantly. The argument that other banks may (or may not) be acting outside the law is hardly compelling, in my view.

Now I’m absolutely down for debating the legislation and its merits (or otherwise), but perhaps in a dedicated thread? And if we want to continue to benefit from direct discussion with Monzo experts, perhaps we should think about how we interact with them and how welcome we make them feel?

8 Likes

This is ultimately my issue at the heart of SCA. The Law was envisioned when contactless in the UK was in a somewhat infant state (vs today at least) and without the likes of mobile payment providers - so I don’t think adequately represents how consumers use cards and contactless in 2019.

The fact that Banks are the ones held liable for fraud to me says the Banks have no incentive to make SCA better or easier for the consumer, as obviously the primary purpose of this specific bit of legislation is reduce fraud, and therefore banks liabilities. I’m sure Banks in general played a strong part in the design of these regulations.

From my own experience, I find now that my card declines for SCA way more often than any previous reason for it declining. Not necessarily high frequency, but still a greater than before.

As a result I’ve basically switched to primarily using Apple Pay as default, as it just tips it over into being more convenient.

From a Monzo implementation point of view - I do wish there way to differentiate notification types - over the years I’ve become used to the “phone vibrating in my pocket before the card machine says approved” factor of Monzo. Not sure what’s possible but if there was one buzz for approved / two for declined it would lead to a more clear experience?

Looks like ATM withdrawls reset the limit.

Actually what has been discussed several times is that monzo are taking a Q&A as law when in fact it is nothing of the sort. If ‘you can’t reset it any other way’ was the intended behaviour it would have been in the law itself.

In this instance Revolut are putting their customers’ UX first. Well done them.

1 Like

What we (well me) are talking about is a few things.

  • Monzo jumped on £100 (and reserving £30 for offline transactions). Imho they have over interpreted the spec in taking offline into consideration and not gone with £135 like Starling and other fintechs. It takes an already low amount (imo) and reduces it unnecessarily further.

  • No legacy bank has met the 14 September deadline to my knowledge and are now working to the 14 March 2020 deadline. Or failing that deadline the 14th March 2021 deadline before the FCA said they will kick off (or extend it again if not enough banks have done it).

  • By the fintechs jumping on implementing it on time they have started impacting and inconveniencing customers before any other banks have got round to it. By the time 2021 comes we might actually have biometric cards that act the same as phones so potentially legacy bank customers may never be affected by the limits.

  • There was a bit about Revolut having a tap to reset the limit in app which of course Monzo could champion, but Monzo (or Monzo staff) have mentioned they are worried about having their banking license taken away if they did this, and Revolut can afford to be a bit more reckless being an e-money and be a bit of a rebel in pushing the spec.

  • Theres also talk about how the UK if affected more by this because we don’t have contactless and pin here. Not much we can do about it now.

So we get tap > payment decline > know idea why could be any reason “Do you have enough money? Can you try another card?” > cancel that > start a new transaction using chip and pin where the card needs to be inserted.

They get tap > “payment needs pin” > types pin to confirm.

  • Because the spec is in Euros it means that the limit (current 150 euros) needs to be converted into the currency of the account so they aren’t working out how much £ is Euro all the time. It’s recalculated roughly what 150 is worth and locked in at set specific times. So as an example Starlings is £135. FCA don’t care about this or leaving wiggle room just thats “in the spirit” of the spec.
    15
  • Theres also talk of why they though it was a good idea to implement in 2019 when we’ve had contactless working fine for the best part of a decade and customers have always had fraud protection and been covered. It does diddly squat to help with a huge impact on the customer and merchants imo. Again not much we can do about it now, other than use Google Pay/Apple Pay which isn’t affected by this.
  • There is also the other side of SCA which is about confirming identity more often, which means having your app randomly ask you to enter pin. This feels again unnecessary to me. If you’ve stolen my phone and have stolen my thumbprints or can bypass with faking my face and have my pin, and I haven’t alerted Monzo that my phones be stolen and changed my pin within about two months of it being stolen, and the fraud dept having spotted something odd, then yes they can have my money.

@alawrence I’ve got evidence this morning through the SCA team that Lloyds 100% has not implemented SCA but are trying to do it by the new extension of 14 March 2020 but might not happen, worse case before the March 2021 date. They currently have no defined limit of what that will be when it comes into play. (I was also told I can do 30 contactless transactions in the same day which wasn’t what I had asked)

I see its like waking up and having someone immediately stand on your foot every single day. For the first 100 times you might be “what the hell, I’ve just woken up why are you standing on my foot?” after the 1000 time this happens it might start to become the new normal and not be such a “ball ache”.

My point is they shouldn’t be stepping on your foot in the first place.

2 Likes

I’ve picked on this use of language before, and I’m going to pick on it again. It’s unfair and inaccurate to say fintechs have ‘jumped on’ implementation. It implies they made the choice to implement it early instead of delaying, which absolutely isn’t so.

Legacy banks have being using their complicated legacy stacks and antiquated systems as an excuse for missing the deadlines. Fintechs do not have this excuse, and can’t use it as a reason to delay implementation.

9 Likes

You can read that line “jumping on implementing it” as “implemented on time”, as apposed to missing the deadline like all other banks (apart from about Monzo/Starling banks and 3 e-money “banks”).

I’m not saying they should have purposely missed. I’m simply commenting that a consequence of being punctual is that Monzo customers are affected in the period between when it was implemented and when everyone else catches up be that March 2020, 2021 or if its extended again.

Its not like the legacy banks go to the FCA "sorry we are a bit slow being legacy using older systems give us more time :pray: " because of that reason, they aren’t being asked why like they have missed doing their homework. Excuses don’t cut it and FCA wouldn’t care. The FCA knows any deadline they give they can’t be too forceful or piss off lots of banks. Even the March 2021 where they say “any firm that fails to comply with the requirements for SCA will be subject to full FCA supervisory and enforcement action as appropriate” is just to help push them forward in getting it done.

This makes Monzo actually look unprofessional to merchants as it looks like the Monzo are having issues with contactless payments, when contrary to this they are doing everything they should.

Could this lead to even more shops banning the hot coral card?

Potentially, I don’t know if they can legally say they ban a “card”, they either accept Mastercard or they don’t. They could refuse the transaction though as they can pick who they do business with. I think Monzo wouldn’t take kindly if they see large merchants putting up signs like Tescos but just saying we don’t take Monzo card payments if there was no legitimate reason. I’d like to think Monzo customers are savvy enough not to show the card they are paying with before tapping.

It doesn’t help that the terminals don’t know it’s because the contactless limit has been reached and that a new transaction of chip+pin is required. So the person behind the till just sees payment declined which makes it look like Monzo customers have low/no money to afford it, or that the Monzo cards have an ongoing issue with Mastercard. It takes years for knowledge to get out there to merchants and train their staff that its perfrectly normal and to start expecting a lot more declines in future.

:face_with_hand_over_mouth::tipping_hand_man:“Have you got another card you could try?”

This is so true - none of the retailers I’ve ever had a decline at knew about SCA being a thing or why they were seeing more declines.

Doesn’t help!

1 Like

It took me nearly an hour of working my way through teams at Lloyds before they could find anyone who knew anything about SCA. At which point they basically admitted its still in early stages of discussion and nothing can be confirmed at this stage and they hope to have it done by March 2020.

I can just imagine the scene now where they have finalised their plan of what needs to be done and give it to the devs on the 7th March and say you have a week to make this happen. :open_mouth::flushed::exploding_head:

Banks don’t need regulation to place limits on contactless, they’ve always been able to do that (and generally have). Additionally contactless fraud is a tiny portion of the fraud we see on a day-to-day basis, and really doesn’t cost banks that much money. There are much bigger fish to fry if your trying to cut your fraud losses.

PSD2 doesn’t really provide any implementation guidance at all. It delegates all of that to the EBA to decide. This means that EBA Q&A answers and opinions are, for all intents and purposes, the law.

The Q&A process is how the EBA tells banks how they should behave in areas where existing guidance is unclear.

7 Likes

I’ve looked through the EBA as much as I can bear, I can’t find any specific rule to say that resetting limit through an app is a solid no.

Have Monzo put this forward to get a definitive answer? Or assuming it’s probably a no and Revolut are being naughty.

If it’s a yes thats fine, and they classify the customer pushing the button as acknowledgment I’ve got the physical card in my possession thats a game changer. If they pushed the button without actually checking their wallet then its on them, either way the same contactless fraud we’ve always had kicks in if being used fraudulently.

Monzo could implement that and be heros.

I’m still intrigued to know if Monzo will be / was the only bank to do £100 limit (and reserve £30 for offline) whilst all other banks chose £135/£130. Only time will tell, we may need to wait a couple years before we know that. Hopefully Monzo will go :ok_man: we were a bit too conservative and the FCA clearly doesn’t care about offline and change it.

Or Monzo could look at biometric cards which remove the limit check and raise the single transaction limit from £30 to £100 like NatWests trial :eyes: Might cost a bit to start with, but you could gain millions of customers if you win the race.

1 Like

Other points aside, I seriously doubt this is true. I don’t think many people care enough about a biometric card to switch banks. Most (all?) who want this are already using Apple/Google Pay. Plus, why pay out for a potentially failed experiment. There’s no real first-mover advantage to this. If it proves popular, other banks can bring in their own biometric cards.

5 Likes

When you say tiny is that like 5%, 1%, <1% of fraud? I would imagine that most people already report their card as missing before it’s used contactlessly. If it’s just lost then hopefully (99%) most people don’t then try and buy something with it, so that’s people purposely nicking a wallet to see how many taps they can get out of it before fraud steps in or the person realises it’s been nicked and reports or freezes.

Now that freezing your own card has become the norm even with legacy banks then this tiny amount is going to drop further.

Think lost card > freeze.
Had wallet nicked > freeze.

Which leaves people trying to tap terminals against your card without you knowing which as this isn’t the Bourne Identity shouldn’t be too common.

Which all leads to my why do this 2019 when we’ve had contactless for donkeys. The limiting to £100 or £135 isn’t going to have any/slim to none impact on what has happened previously for the last decade in reducing contactless fraud and just inconveniences people and businesses for little/zero gain.

I want to know who thought this was ever a good idea.

ece

You are probably right with this, it was more a thought out loud.

I’m amazed Google/Apple hasn’t yet got into making it public knowledge that tapping with your phone bypasses the need for these checks.

Outside London people are still mostly using cards to tap with in my experience, but the days of cashiers looking at you like a crazy person trying to tap your phone on their terminals is slowly going as they know that’s a thing now.

Still takes a lot for people to start using their phone unless they are techy, but this could be a good reason to get people to switch.

Google/Apple must be rubbing their hands together at all that commission. If I was cynical I could think that they got someone onto the board to plant that idea to push people towards phones by intentionally bricking contactless. Inception.

2 Likes

I don’t think that’s the case. The law for this only applies to transactions where there’s no customer verification. NatWest have started rolling out fingerprint cards which will not have any such limit when it comes to making card transactions as the customer is being verified with the fingerprint.

The other banks simply arent adopting this yet for whatever reason.

1 Like

Personally just think this is a product of the classic ‘government / the law is always 10 years behind’ phenomenon. The law makers are slow to see changes in the market, and then it takes even longer to get a law passed and then EVEN LONGER when talking about timeline and deadlines to implement said law. It all means often with these tech based laws they are 5-10 years behind what is actually relevant with technology when they come in. I wouldn’t really blame the law itself, its just a product of lawmaking being a slow process.

3 Likes

Is this meant to be a different quote?

As for NatWest fingerprint cards, if you are saying SCA doesn’t apply to them then we are in agreement? :man_shrugging:

If it was that quote, I wasn’t seriously suggesting Google/Apple had infiltrated the FCA/EBA to plant employees who would get the idea going that we need to be doing SCA so it would secretly push people towards using phone payments instead of their cards. :sweat_smile: