Contactless payments are becoming more secure 🔏

Rom Jackson

 · 09/11/2019  · 09/11/2019

Contactless payment is a simple and convenient way of making smaller payments, but if your card ever fell into the wrong hands —and you didn’t freeze it in time— it could be bad news.

From 14th September, new regulations come into effect across the European Economic Area, limiting the number of contactless card payments you can make before needing to verify the payment.

In short, you’ll be able to make up to €150 (or other currency equivalent) of contactless payments before you’re asked to either pay with Chip & PIN, or log into the app to verify the payment.

It’s all about security

These new regulations are legally enforced in the EEA, and will apply to all regulated payments institutions. They’re being introduced to reduce the possible damage if your card is ever stolen or otherwise compromised. After all, if someone were to steal your card, it’s unlikely that they would also know your PIN.

That said, we fully understand that anything which might interrupt your experience is a hassle. That’s why we intend to make it as simple as possible to authenticate your payments, while simultaneously keeping your account safe.

Here’s what will happen when you approach the contactless payment limit:

  • We’ll send a notification to your phone, letting you know that you’re approaching the contactless payments limit (if you’re a business customer, you’ll get an email)
  • At this point, you can either make your next payment via Chip & PIN, or tap on the notification and reset your limit from the Revolut app (you will need to enter your PIN, or using fingerprint/face ID)
  • You’ll then be able to make a further €150 (or other currency equivalent) of contactless payments until the next required ‘limit reset’

If you reach the contactless payment limit without resetting, we’ll have to decline that payment, but we’ll send you another notification asking you to reset the contactless limit.

What’s included/not included

There are a couple of exceptions to these new rules. These include:

  • Apple Pay/Google Pay — These won’t count towards your contactless payment limit, so try and use this on contactless terminals instead of the card. Also consider topping up via Apple/Google Pay where you can
  • Unattended terminals — These include parking and travel ticket terminals, and won’t count towards your contactless payment limit

Authenticating with Magstripe

The magnetic stripe or Magstripe, is the horizontal strip that runs along the back of your card. Payments using Magstripe will only work if the merchant has their terminal set up for ‘Magstripe + PIN’. If they have it set up for ‘Magstripe + signature’, you’ll need to insert your card and enter your PIN (or use Google/Apple Pay).

Strong Customer Authentication

All of these changes relate to something known in the industry as SCA, or Strong Customer Authentication. SCA is built around the idea that strong authentication (i.e. making sure that it’s you) is based on providing elements from at least two of the following three categories:

  1. Something you know — e.g. your PIN
  2. Something you have — e.g. your card
  3. Something you are — e.g. your fingerprint/face ID

Chip & PIN satisfies this on its own because it features something you have (the card) and something you know (the PIN). Contactless does not, because it only features elements from one of the categories (something you have). This is why contactless payments need this extra check every now and then.

Stronger together

Keeping your account safe from fraud is a top priority for both ourselves and the regulators. Thieves and fraudsters work hard to trick you and steal from you, so while measures such as these can seem like an inconvenience, they can also make a huge positive difference when you need it most.