FCA: Strong Customer Authentication – Contactless Payments at Point of Sale (Article 11)

Share this post

Following concerns raised by UK Finance (UKF) on behalf of card issuers and acquirers, we have received proposals for how firms intend to comply with the requirements of the Article 11 exemption (Contactless Payments at Point of Sale) in the Regulatory Technical Standards on Strong Customer Authentication and Common & Secure Communication (SCA-RTS).

We believe this issue is relevant to all UK card issuers and acquirers beyond UKF’s membership. We have set out our position below.

Background

The SCA-RTS became applicable on 14 September 2019. It includes exemptions to the application of Strong Customer Authentication (as defined in the Payment Services Regulations 2017 (PSRs)).

One such exemption is the contactless exemption at Article 11. Issuers may choose not to apply SCA to contactless point of sale transactions where the following conditions are met:

  • a) the individual amount of the contactless electronic payment transaction does not exceed EUR 50; and
  • (b) the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of strong customer authentication does not exceed EUR 150; or
  • (c) the number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not exceed five.

The FCA understands the industry is pursuing two options to comply with the conditions in Article 11:

  • host-based solutions; or
  • chip-based solutions

Host-based solutions enable real time monitoring for online point of sale (POS) transactions, but cannot account, in real time, for offline POS transactions.

Chip-based solutions cater for transactions at both online and offline POS terminals, but only recently became available and will require re-issuance of new chip cards to existing cardholders.

We understand that many card issuers do not yet have the systems and controls to consistently ensure compliance with conditions of Article 11 SCA-RTS. However, we note that most issuers already step-up authentication on some transactions as part of existing  controls.

FCA position

We recognise the benefits to consumers and merchants of ongoing use of contactless card transactions in the UK.

The legal deadline for complying with the SCA requirements in the PSRs and the RTS was 14 September 2019. All firms facilitating contactless card transactions should be making every effort to have the appropriate systems and controls to ensure that all contactless payments meet the conditions of Article 11 as soon as possible (if such systems and controls are not already in place).

Firms must look for the most suitable way in which to comply as soon as possible.

Firms may comply via a host-based solution, or a chip-based solution through the re-issuance of compliant chip-based cards. In both cases, firms should consider the risk of unauthorised and/or non-compliant contactless transactions being made and monitor the implementation of the chosen solution. For firms choosing a chip-based solution, we expect them to prioritise identification and re-issuance of those cards that are used by customers to make contactless payments.

We understand that there may be a period of adjustment which is understandable to ensure minimal disruption, but we urge the industry to comply as quickly as possible, and by no later than 14 March 2020.

After 14 March 2020, failure to comply with the requirements for SCA in contactless transactions will be subject to full FCA supervisory and enforcement action as appropriate.

Contactless Charitable Donations

We are aware of concerns within the charity sector that the new requirements on SCA may lead to a level of disruption in the existing use and future growth of contactless donations.

Given the social benefit of contactless donations, and the associated low risk of fraud, we strongly encourage card issuers and acquirers to continue to work with the charity sector to ensure that contactless donations are not disproportionately disrupted as a result of the new requirements on SCA.

Contactless charitable donations are typically made using offline terminals without functionality to support PIN entry if a transaction is stepped-up for authentication. We understand charities prefer such devices to avoid queues building as the total value of donations would otherwise likely significantly fall.

The introduction of SCA requirements does not mean that these terminals need to be replaced. The industry may continue to process those payments as they currently do now, including by deciding to decline some of these transactions after the event.

While we think the number of payments that are declined may increase with the application of the new conditions of the contactless exemption, we think, based on the information shared by the industry, that this increase is likely to be small.

We will work with the industry to monitor the impact of these changes on the number of payments declined. If the rate of decline increases unexpectedly we will consider what further steps we can take to ensure contactless payments continue to work well for charities.

More To Explore

Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?