The Debit Card


(Alex Sherwood) #1

Richard’s just shared some more details about the improvements that’re on the way, when the debit cards are rolled out along with the current accounts. There isn’t a dedicated topic with the details of what’s changing so I thought I’d create one :slight_smile:

  • Offline support means no more declined payments for things like car park / railway station ticket machines & Pay at the Pump
  • I’ve been told by @richardr that the contactless Magstripe support should result in significantly fewer declines in the US
  • I assume that data storage means the capability to do things like storing season tickets on your Monzo card (bearing in mind that the storage space is relatively limited)

it looks like they’re not far from being ready either :eyes:

Photo from the above tweet.

There’s some more pictures of the card’s design here.

We also already knew that there’s not going to be account numbers or sort codes on the cards -

& that user’s names will be on the cards, with exceptions -


:us: Monzo in the USA [Discussion]
Add Account Number & Sort Code to the Debit Card
Gotta catch 'em all — The Monzo Current Account Preview testing challenge 🏆
Monzo in Norway :norway:
Gotta catch 'em all — The Monzo Current Account Preview testing challenge 🏆
:us: Monzo in the USA [Discussion]
Community Digest 04/08/17
Current Accounts
Gotta catch 'em all — The Monzo Current Account Preview testing challenge 🏆
What We Know About the Current Accounts & Debit Cards / FAQ :bank: :credit_card: (open Wiki)
(Mike) #2


(Jason Yau) #3

Oh wow! Data storage on the card. Hopefully TFL will allow railcards to be linked to the card i hate having to use my Oyster to get my discount.


(Tom ) #4

To add to this, @liamn has confirmed that the new cards will stop the ATM message appearing that says “Please note that your card issuer may apply a cash advance charge”

Furthermore, I experienced a few issues in the USA with the Monzo CA where the POS device would say “EMV transaction not allowed”. Manually entered, the card worked fine. However, this new chip should also fix that issue.


ATM Language / Charge Message
(Jolin) #5

What is this? Surely if you’re using the magstripe, it’s not contactless, as the reader head has to physically run over the stripe?


(Andre Borie) #6

Possibly it’s where the card broadcasts the mag stripe data over contactless (instead of doing an EMV transaction like they do now). Extremely insecure but that seems to be common in the US.


(Caspar Aremi) #7


says:

In general there are two classes of contactless bank cards: magnetic stripe data (MSD) and contactless EMV.

Contactless MSD cards are similar to magnetic stripe cards in terms of the data they share across the contactless interface. They are only distributed in the U.S. Payment occurs in a similar fashion to mag-stripe, without a PIN and often in off-line mode (depending on parameters of the terminal). The security level of such a transaction is better than a mag-stripe card, as the chip cryptographically generates a code which can be verified by the card issuer’s systems.

Contactless EMV cards have two interfaces (contact and contactless) and work as a normal EMV card via their contact interface. The contactless interface provides similar data to a contact EMV transaction, but usually a subset of the capabilities (e.g. usually issuers will not allow balances to be increased via the contactless interface, instead requiring the card to be inserted into a device which uses the contact interface). EMV cards may carry an “offline balance” stored in their chip, similar to the electronic wallet or “purse” that users of transit smart cards are used to.


(Richard Owen) #8

The first part of this is correct. However the later part is not. Replay attacks are protected against because they use a dynamic CVV3 instead of the regular CVV from the magstripe.


(Jolin) #9

Thanks, didn’t even think to check Wikipedia. :no_mouth:

However, doesn’t this mean that any card with this feature can trivially have its card number and expiry date skimmed? Will there be a way to disable this on our cards if we’re not using it?


(Rika Raybould) #10

There’s a few more security features as described in the posts above mine but effectively, it is magstripe over the contactless interface. American Express use it and it’s easy for merchants who used to only accept magstripe to upgrade to. :us::credit_card:

Fun fact, that’s why Amex in Apple Pay doesn’t work with many UK terminals where regular Amex cards work. If you take a look at the table at the bottom of this page, you’ll see that Amex only has dots in Magstripe Contactless, not EMV Contactless.

This is not to be confused with MST (Magnetic Stripe Transmission). The technology that Samsung Pay originally used and still uses in certain markets. That’s literally magstripe data being blasted out of an electromagnet. :no_good_woman:

We’re adding Magstripe Contactless to our cards to reduce the number of declines we see from users traveling in the US. It’s near-impossible to tell what a terminal is using until you’re already declined. :disappointed:


(Richard Owen) #11

Perhaps, but then they’d typically need the CVV2 from the signature strip which won’t be in the skimmed data. That’s why I hate the US restaurant practice of the server taking your card away for authorisation. All they need to do is take a photo of the card back/front and Card Not Present fraud is now your risk.


(Andre Borie) #12

You can already get the PAN and expiry date with any contactless card. If you’ve got a card reader you can see for yourself using Cardpeek (make sure you check the binary on Virustotal as the download is not HTTPS, or compile it yourself).


#13

What is offline support? Does this mean a payment will always go through regardless? And if so how does this impact the freeze card function?


(Alex Sherwood) #14

Here’s how Monzo explains offline transactions -

Sometimes, POS terminals aren’t able to establish a data connection to their Merchant Acquirer. Typically, this happens on aeroplanes and trains. In such a case, the card chip can be programmed to work in “offline” mode for a limited number of transactions. When the POS re-establishes a data connection (eg the aeroplane lands), the payments are uploaded to the Acquirer. The first the Issuer sees of this payment is in the “Presentment” file, which may be a day or two later.

Quote from this blog.

It does mean that even if your card if frozen or you have insufficient funds, the payment will still be authorised - or rather, Monzo will not authorise the transaction at all - (I’ve checked this with the support team) but Monzo will be liable for the charges if you have frozen your card so they’ll reimburse you.

Fortunately, as the blog mentions, there are not many merchants with offline terminals so even in the short term, your exposure to fraud here is small.


(Andre Borie) #15

Wouldn’t that open the doors for abuse - freeze card before going on the plane, buy lots of booze onboard, enjoy the free booze at Monzo’s expense?


(Goku) #16

So whens it coming out? Investors were promised a summer release.

Only got another month left…


(Alex Sherwood) #17

Here’s all the details :slight_smile:

https://monzo.com/blog/2017/07/17/current-account-preview/


(Alex Sherwood) #18

14 posts were split to a new topic: Add Account Number & Sort Code to the Debit Card


Add Account Number & Sort Code to the Debit Card
#19

So just to confirm, for the CA cards, where the magstripe doesn’t work in ATMs, it will work for normal transactions?


(Alex Sherwood) #20

We know that the debit cards will be more likely to work with terminals (when you pay at the counter) that only accept magstripe payments. That’s what Richard was referring to when he mentioned ‘contactless magstripe’ support.

If you enable Magstripe withdrawals though, it should work with Magstripe only ATMs.


I’ve moved your post here, as your question applies to using the debit card in every country & it’s useful to keep all of the information about the debit cards in one place.