PSD2 may just kill contactless cards
Too much security may be a bad thing.
You may have seen some recent emails from your bank - saying how they are making your banking more secure. What they aren’t telling you is that contactless is going to get more inconvenient soon - so much you may actually stop using it.
Banks are getting more secure in response to a recent regulation called PSD2 (or the 2nd Payment Services Directive for its full name). The purpose - to create a level-playing field between financial services organisations across Europe - both by fostering openness through Open Banking (which I’ll talk about in a future post) but also by ensuring that every financial institution ensures a high level of security for their customers and their money.
The core element of the regulations is a section called ‘Secure Customer Authentication’ - and this is what will shortly start breaking your contactless payments.
The rule (a low value exemption for two-factor authentication) requires you to revalidate your card PIN every 5 times you use it, or when you’ve spent more than ~€100 since you last entered your PIN. Exceed these limits and your payment will be declined, and you’ll have to use chip & PIN to proceed.
This creates a problem - your contactless card which was previously always reliable - is now like rolling a dice as to whether it will be accepted or not. This is a real issue, as contactless is now exceeding cash payments in the UK and increasing in other markets - that may really slow down if the experience for customers is poor and people lose faith with their cards.
The change was meant to come into force in September 2019, but many banks have got a 6 month extension to March 2020. My experience - it sucks! Bad enough to put people off from contactless, and possibly set payments back 5 years or more.
How I was almost deprived of gin!
Here’s a recent experience - I was at a local pub and ordered a Gin & Tonic (Rhubarb Gin & Mediterranean Tonic - don’t judge me) and I paid the barman by contactless. Without thinking twice, the barman said thanks and walked away - I took my drink without thinking about it and sat down to wait for my friends. It was only a few mins later when the barman came back and said my transaction was declined that I understood what had happened.
As I work in financial services (implementing a number of PSD2 initiatives) - i knew what was going on, but many customers wouldn’t have had a clue. My bank - Starling Bank - had sent some communication about ‘getting more secure’ but it was not clear which transactions were declined by this limit - and it doesn’t provide any methods to resolve this except by rather embarrassingly re-using your card with Chip & PIN and crossing your fingers.
The issue is that whilst the regulations provide the requirement to revalidate, they don’t provide any guidance on how to deal with the negative customer scenarios that result from the requirements - so expect some institutions to handle this better than others.
SCA best practices
How can this be handled well? Well Monzo have thought this through and currently provide a great example of best practice:
- Clear communication via push notification when your transaction is declined due to SCA
- Easy viewing of declined transactions within the mobile app.
- Ability to re-enable Contactless using the mobile app only.
- Increased confidence it will work.
Here’s what they show to the customer.
One additional step that could be added in future is to inform customers before they reach the limit, so that they have the opportunity to resolve it without getting declined at all.
So what have we learnt?
Regulations provide a blueprint for how financial institutions can provide a high level of security to customers - but they don’t provide the tools and experience in order to make it pleasant and seamless for customers. Over the next few months you’ll see multiple ways of solving this problem before we hopefully align with something similar to Monzo above. 🤞