Strong Customer Authentication: Using Chip and PIN more often when making contactless payments

I had an active card check at 2am from “Blackbaud Sca Charity”, I donate to a couple of charity but not sure which one is doing this. I guessed “Sca” stands for strong customer authentication.
Did anyone have something similar?

This they say :point_down:

.
.
After plenty of googling, it looks like this is their out for now

So they have 18 months before they get in trouble, but doesn’t non compliance break the Visa/MasterCard terms.

They only won’t get in trouble if

The FCA will not take enforcement action against firms if they do not meet the relevant requirements for SCA from 14 September 2019 in areas covered by the agreed plan, where there is evidence that they have taken the necessary steps to comply with the plan.

Pingits flow will have to be Auth in app, (unless they can implement online pin, is that a possibility?) But they’ll lose their USP if you have to take your phone with you.

2 Likes

Thanks for that :+1:

1 Like

The FCA phased implementation plan broadly only applies to e-commerce and remote transactions. There is no delay to the contactless payment implementation.

1 Like

Oh,

I wonder what they are playing at then.

@amelia @erincandescent Don’t know if @simonb mentioned the Q if Monzo will be upping their £100 limit to match the £135 offered by other banks. He pointed to offline payments being the reason Monzo decided to allow wiggle room but that doesn’t make sense as the 150 euro doesn’t need to take offline into consideration which is why Starling who have the same offline ability went with £135 being a close conversion.

I mentioned that by trying to account for this £35 you’re cutting an already low amount even further which means more likely only three successful contactless before the 4th busts. £30+£30+£30+£10+

1 Like

We will be implementing a £100 online, £30 offline unauthenticated contactless limit in line with the legal requirement to not authorise more than £135 total between instances of strong customer authentication. There is no special exemption in the law from SCA for offline authorised transactions.

We expect most people (who do the majority of their payments by card, and not by using a mobile wallet) to have to enter their PIN at a terminal no more than once in the average week.

6 Likes

So are Monzo planning on sticking with their interpretation of £100 and £30 reserved for offline cases even if all the banks go with £135 (with no specific allocation for offline)?

Not saying you should do it because everyone else does, but in this case it makes your offer a lot weaker by hitting the limit much quicker.

There was talks about raising the contactless limit to £50 so would take it to just two taps then chip+pin.

I’m guessing most people make two physical transactions a day on avg, so that could mean every other day it would fail and need chip and pin.

My other Q was around Contactless + PIN thats used widely in the EU. (So that the transaction isn’t cancelled and tried again, its just a case of typing the pin without needing to insert the card)

Can the UK support this currently? Whats required a terminal / bank / merchant thing?

The average contactless transaction is under £10, so most people are going to get 10 or more transactions between PIN prompts.

I did some explaining over in the labs topic (linked below) when we rolled out a preview of these changes into labs, but in summary UK terminals don’t and are not permitted to support contactless and PIN

If you wish to avoid having to insert your card periodically, we’d encourage use of Google or Apple pay, which are unaffected

But doesn’t it have a max of five in place to satisfy Article 11. So it’s going to still be every couple of days if you make just two taps a day.

Is it the sixth transaction it fails or the fifth?

Shame contactless and pin isn’t an option for the UK. I’m personally not affected as I use by phone for everything but still interested in this.

As I read it, the bank can choose either to demand Chip and PIN after £130 of contactless card transactions or 5 contactless card transactions.

1 Like

So is that a and (b or c)? If this is right then they really could have reworded it by removing a and turning into a normal paragraph and then just have pick one of two options.

Article 11

Contactless payments at point of sale

Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates a contactless electronic payment transaction provided that the following conditions are met:

( a )

the individual amount of the contactless electronic payment transaction does not exceed EUR 50; and

( b )

the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of strong customer authentication does not exceed EUR 150; or

( c )

the number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not exceed five.

1 Like

The key reason I thought it was and is due to Starlings email. As in either of these conditions are true to trigger it.

After you make five contactless payments in a row (or once your payments have totalled £135) you’ll be asked to enter your card in the machine and enter your PIN.

Very succinctly put. That’s how I read it (I’m not an expert).

Did Starling misread the spec and did all three, because why would want to make it anymore annoying. Or was the email sent out wrong? :man_shrugging:

I’d expect a phrase along the lines of “whichever comes first,” if they’d meant both to apply.

Revolut’s published approach seems a bit better. Reset using Chip & PIN or using the mobile app. I’d personally prefer to reset using the Monzo app instead of having to use Chip & PIN (which feels like going back in time)

6 Likes

Why haven’t monzo done this in app?

You have £40 left of £100 before chip and pin is required.

[ Tap here to reset ]
:point_up_2:

4 Likes

I just tapped in on a Lothian Bus and got an alert from Monzo saying I would need to use chip & PIN for enhanced security (or something to that effect). The 10p charge went through and the bus’s reader was happy, and when I opened the Monzo app there’s no message about chip & PIN. So I’m a bit confused:

  • I thought city transport transactions were excluded from SCA (as confirmed by @milo in the original post on SCA)

  • I’m now worried that when I next try to get the bus my card will be rejected. I can’t switch to Apple Pay because then my fare won’t be capped at the day ticket rate

Does anyone know what’s going on?

3 Likes

Unattended terminals should be excluded from what I take from below. Might have been a coincidence that you saw the alert that was sent out to everyone.

Article 12

Unattended terminals for transport fares and parking fees

Payment service providers shall be allowed not to apply strong customer authentication, subject to compliance with the requirements laid down in Article 2, where the payer initiates an electronic payment transaction at an unattended payment terminal for the purpose of paying a transport fare or a parking fee.

1 Like