Why do I need to use my PIN for transactions <£30?


(Jolin) #1

Ok, this is more Fin than Tech, but I think this is probably the most appropriate category.

Having become used to using contactless because of the awesomeness of :monzo:, inputting a PIN seems very cumbersome (I know, first world problem). This has got me wondering what the justification is for requiring PINs for chip transactions below £30?

For instance, if I go to a shop and buy something for £12, if I tap my Monzo card, no PIN is required. But if I were to instead insert the chip into the machine, I have to enter my PIN. Why?? In both cases, I have ‘proved’ I’m in possession of the card. How is the risk profile of using a chip so much greater that I have to enter a PIN? Obviously, with my :monzo: :credit_card:, I don’t use the chip, but I sometimes need to use a card without contactless, and it strikes me as odd every time I have to enter a PIN for a transaction <£30.


Forget your Pin? Don't worry, banks are letting payments through without it - The Telegraph
#2

In some countries you don’t need to, e.g. some Dutch retailers have Chip & Dip where you insert and remove card without entering PIN for low value transactions


(Jolin) #3

Makes sense, so is the reason we don’t have this in the UK just that the chip ‘standards’ haven’t been updated since first introduced? It would make sense to harmonise limits for chip and contactless.


#4

and harmonise limits across countries as it is crazy having €10, €20, €25, €30, €50, £30 etc limits for contactless depending what country you go to


(Eve) #5

Most countries I’ve visited in the EU limited it to €25 (haven’t seen other values like €15, 40) which was a bit annoying considering I was used to the £30 limit. It isn’t much but you always feel like an idiot tapping it and having the staff members correct you.


#6

Estonia is €10 which I found VERY frustrating


(Bob) #7

Using the international currency of Becks, how many Becks can you get in a round in a bar in Estonia on contactless?

Here in London, it’s about 6-7 bottles of Becks per contactless. What about Tallinn?

Very important to get a sense of proportion :hugs:


#8

Not sure…I was drinking coffee not bier. But like anything it depends where you go. In the Old Town in Tallinn or international brand Hôtels it Western prices. In the suburbs or outside Tallinn in the countryside it still very reasonable prices


(Jamie 🏳️‍🌈) #9

Look at it the other way. With inserting your card and entering your PIN, you’re proving possession and authorisation. With contactless, you’re just proving possession. So I think banks are happy to take the risk for their customers’ convenience on contactless, as a marketing point.


(Jolin) #10

I get that, I just don’t get why it’s ok not to prove authorisation for contactless, but not chip. It would be pretty convenient for chip, too. And as almost all of these <£30 transactions move to contactless, it’s not like the banks are reducing their risk much by making it less convenient for chip users.


(Jamie 🏳️‍🌈) #11

Yeah, sorry, my point wasn’t clear. I essentially thought contactless was an extension of risk from the status quo. In particular since you’re supposed to have to enter a PIN every so often. But you’re right, as those values of transactions increase, the risk goes up anyway (and in 5+ years on using contactless I’ve never been asked to confirm with a PIN periodically!)


(Allie) #12

This is complicated, and depends on the network, country and individual merchants. In order to promote contactless, the networks have, in many countries, granted specific contactless lost/stolen liability shift waiver amounts at or below which a merchant may use no CVM to process a transaction without being liable if a card was lost/stolen. In the UK that’s £30.

Above £30 for contactless, there is a requirement for cardholder verification to be performed. For contact, there is no waiver amount for PIN in the UK (though there is on signature for a chip and signature for at least some networks, but I’m not sure the amounts. I do know starting next year, it will be a global infinite limit for American Express - merchants will never be required to collect signature for chip and signature American Express cards starting next year).

In the US, Visa has a waiver for contact PIN (through VEPS) but Mastercard doesn’t (though they do have a signature waiver). Many shops in the US still don’t ask for PIN though, even on Mastercard, and sometimes (especially for restaurants) even above the Visa waiver level. They do this by modifying the EMV kernel (dynamically in the case of a PIN waiver amount) to remove PIN support so the card has to proceed down the CVM list. If no cardholder verification waiver applies to the transaction, the merchant takes on the risk of doing this in the name of convenience or of protecting their business model (e.g. restaurants that take cards away in the US).

The actual risk for a contactless and a contact transaction are the same as there’s no difference, both are EMV transactions and all the same modes - e.g. online vs offline authorisation, etc can apply to either entry method. The only differences are supported CVMs, and even then only slightly:

  • Contactless does not support offline PIN (PIN verified by card, like we use in the UK, instead of by the issuer - this has no relation to offline vs online transaction authorisation).
  • Contact does not support CDCVM (consumer device cardholder verification method).

Additionally, for the same reason offline PIN can’t be supported, contactless also can’t support issuer script processing. Issuer script processing is also not possible on contact if the merchant has implemented various ‘quick chip’ solutions, such as Mastercard M/Chip Fast. So far, these are only allowed in the US market, and they serve little point since contactless covers the same need.

Otherwise, all the same basic feature set and security of EMV is identical.

That check was only relevant for offline risk. Online fraud is caught by having you call the issuer and telling them to block the card.