Written by A couple of weeks ago I wrote a piece for our friends at Smartex; ‘Brexit and the UK Finance’s proposed £100 contactless limit’. Perhaps a title more worthy of grabbing readers would be ‘Will Brexit make stealing bank cards attractive again?’
The pandemic has accelerated consumer behaviour that has been teetering for the last decade. The desire for contact-free (and therefore contactless) transactions, has meant a significant trend in consumers becoming comfortable with tapping their cards and perhaps more interestingly, their phones (devices/wearables). We’ve seen merchants switch from hand scribbled ‘cash only’ signs, to ‘please use cards (devices etc) wherever possible’. Some stores have completely rejected cash altogether.
The use of mobile phones (and wearables) can be attributed not only to the personal hygiene demands but also to the already high value transaction functionality. Some UK grocery stores publicising unlimited transaction values through digital wallets, whilst sadly consumer confusion remains with lingering examples of poor implementation with mobiles stuck at the £45 limit.
The contactless payment card limit in the UK has been rising slowly but steadily from its lowly £10 limit in 2007 to the current £45 limit (£15 in 2010, £20 in 2012, £30 in 2015). This has been at times quite a painful and confusing process. Today occasionally the contactless payment will fail, and, if the POS handles this well, you will be asked to insert your card and do a chip & PIN transaction.
This is down to PSD2, the EU’s 2nd Payment Services Directive. PSD2 does two things to limit contactless card payments:
- The maximum amount allowed without the need for Cardholder Verification (CVM i.e. PIN or biometric) is €50
- There is a limit to the number of contactless payments that can be made, which is either 5 payments in a row or a total value of €150, without a CVM having been used (the card issuer decides which one of these options used for the card).
Therefore, if the amount is over €50 or it’s the 5th contactless transaction or the combined amount is over €150 then a CVM is required. As the UK (along with France & Finland) does not support Online PIN as a CVM this means that a Chip & PIN transaction is needed. We mustn’t overlook Online PIN, in other countries contactless only ATMs are starting to appear, some question the need for a contact interface at all, reducing the cost of the cards. Online PIN provides a simple consumer and merchant experience, tap your card / wearable etc and you may get asked to enter your PIN. Without Online PIN the proposition for wearables is considerably weakened an associated card or mobile would be required to ensure the PSD2 requirements are met.
When the card is used from a mobile wallet be it Apple, Google, Samsung, Barclaycard etc. then generally a CVM (Face; Fingerprint; Passcode etc) will have been used and the mobile contactless payment can be used for any amount. It has taken the UK POS infrastructure a long time to implement this, and in many cases the old £30 limit was wrongly applied for mobile. The change of card limit to £45 has, by and large, allowed the POS estates to also solve the mobile card and allow for any amount, though sadly my local garden centre hasn’t caught up and I still have to use Chip & PIN for anything over £45, which this garden centre means pretty much every transaction, sigh! These remaining poor implementations only serve to confuse the general public as to when they can and cannot use a mobile for high values, effectively reenforcing the use Chip & PIN for over £45 rather than the use of mobile for over £45.
Many, including UK Finance and our friends at Smartex, have been calling for the limit to be higher than £45, but £45 is ~€50 and that is the maximum legally allowed, today.
But what about Brexit. Well, now that the UK is no longer part of the EU or bound by its rules, what’s to stop the limit rising again? Actually, the UK is bound by the contactless rules set out by PSD2 as it is part of UK legislation. However, the UK can unilaterally change this limit, with UK Finance asking the Treasury to consider raising the limit to £100. Raising the limit to £100 would ensure that most weekly shops can be carried out by contactless without the need for the consumer to touch a PIN Pad / POS terminal. And of course, this is attractive for those who aren’t yet using their phones or devices.
The headline of moving the contactless limit to £100 to prevent people from touching PIN Pads and POS terminals look eminently sensible, but we need to understand the full detail including:
- What happens to the 1 in 5 or €150 cumulative limit?
- Who is liable for fraud when a card is stolen?
Raising the contactless limit to £100 only works if the cumulative limit changes too. We’ve yet to see what is proposed here, let’s assume for a moment that it increases proportionally to roughly £300, or we stick with the 1 in 5 limit, which raises the prospect of up to £300 – £500 fraudulent spend on a stolen card before Chip & PIN is required.
Today contactless fraud is very low, both UK Finance and Visa quote rates of around 2.5p for every £100. Would raising the limit to £100 and potential fraudster gain to £300 / £500 change that? It does seem that this would make cards an attractive target to fraudsters, but they would have to get hold of your card and use it in such a way as not to trigger the Issuers fraud systems before you notice it has gone missing.
If the banks are confident that their fraud systems are sufficient to detect abnormal contactless spend, through the use of behavioural fraud analysis, and are prepared to carry the liabilities then there is very little downside, we have yet to see what is proposed here. Today the banks are not obliged to refund funds when spent fraudulently, however most banks operate under a voluntary agreement whereby the cardholder is not responsible for fraud providing they have not acted negligently. How negligence is defined or decided on is not very clear.
Are there parallels?
Australia raised its contactless limit “temporarily” to AUS$200 (~£100) in April 2020, with review periods. At the latest review in December it was determined that the pandemic had not eased and the AUS$200 would remain until the next review, set for March.
Whilst this hasn’t led to widespread increase in fraud, there are some reports of increases of cards being stolen from cars/handbags etc and used fraudulently, though Australian banks do protect the cardholder from the fraud, they are still inconvenienced by the process, or worse if they’re property is damaged in the card theft.
In Conclusion
Subject to approval by the Treasury and The Financial Conduct Authority, we are likely to see an increase of the contactless card limit to £100. Bear in mind this is the banks, via UK Finance, who are seeking this increase, this must be accompanied by clear statements on overall limits and liabilities, and subject to periodic review.
In parallel the UK infrastructure should consider how to fully enable Online PIN as a CVM, allowing the consumer to use contactless everywhere, wearables to grow, complete SoftPOS offerings. Though for fully contact free payments, ensuring a consistent consumer experience with mobile wallets provides the quickest route forward.
Gary, you are absolutely right the case for online PIN at the point of sale becomes extremely compelling when considered in the light of a possible £100 contactless limit.
I just can’t help thinking that the real question is whether or not we need a contactless limit at all if, as you suggest, the UK moves to online PIN. The potential to move to the new CVM has to bring into question any of the SCA measure land imposed on contactless, does it not simply become the new card data capture method?
All the protections of customer verification and authorisation will be in place to give issuers the equivalent risk management controls to those they have with contact Chip & PIN. The strength of the cryptograms may need to be reviewed but I see no reason why the same liability regime shouldn’t exist for contactless with online PIN that exists today for Chip & PIN.
The only other issues that might need some thought are:
1. The issue of signalling incomplete or declined contactless transactions. As you are aware the BRC is bleating about the many millions of pounds lost when customers walk away with goods when the transaction fails to complete correctly. Not sure what they think is the answer, audible bleeps having been ruled out way back and the chances of getting consumers to look at the terminal display is very slim 😂
2. The impact online PIN has on transaction times, contactless is successful because it is extremely quick. We have already placed a pause in the process with online authorisation and now we are considering a longer pause whilst consumers enter a PIN. Someone is going to ask what does this give us over and above what we get with Chip & PIN? If the answer is not compelling then the cost of such a change to the POS infrastructure might make the business case less attractive.
It is time for the debate to be had and high time the schemes and UK Finance stopped sitting on the fence on this. I know it’s hard but I know that this question has been asked many times in the last 5 years (I wonder who may have asked it 😜).
Hi David, thanks for the comment, as always makes perfect sense.
Online PIN is the sensible route forward, I do worry that the £100 limit is masking the need for an infrastructure upgrade (a lot of which has already been put in place by UPI for their card acceptance).