Following concerns raised by UK Finance (UKF) on behalf of card issuers and acquirers, we have received proposals for how firms intend to comply with the requirements of the Article 11 exemption (Contactless Payments at Point of Sale) in the Regulatory Technical Standards on Strong Customer Authentication and Common & Secure Communication (SCA-RTS).
We believe this issue is relevant to all UK card issuers and acquirers beyond UKF’s membership. We have set out our position below.
The SCA-RTS became applicable on 14 September 2019. It includes exemptions to the application of Strong Customer Authentication (as defined in the Payment Services Regulations 2017 (PSRs)).
One such exemption is the contactless exemption at Article 11. Issuers may choose not to apply SCA to contactless point of sale transactions where the following conditions are met:
- a) the individual amount of the contactless electronic payment transaction does not exceed EUR 50; and
- (b) the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of strong customer authentication does not exceed EUR 150; or
- (c) the number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not exceed five.
The FCA understands the industry is pursuing two options to comply with the conditions in Article 11:
- host-based solutions; or
- chip-based solutions
Host-based solutions enable real time monitoring for online point of sale (POS) transactions, but cannot account, in real time, for offline POS transactions.
Chip-based solutions cater for transactions at both online and offline POS terminals, but only recently became available and will require re-issuance of new chip cards to existing cardholders.
We understand that many card issuers do not yet have the systems and controls to consistently ensure compliance with conditions of Article 11 SCA-RTS. However, we note that most issuers already step-up authentication on some transactions as part of existing controls.
We recognise the benefits to consumers and merchants of ongoing use of contactless card transactions in the UK.
The legal deadline for complying with the SCA requirements in the PSRs and the RTS was 14 September 2019. All firms facilitating contactless card transactions should be making every effort to have the appropriate systems and controls to ensure that all contactless payments meet the conditions of Article 11 as soon as possible (if such systems and controls are not already in place).
Firms must look for the most suitable way in which to comply as soon as possible.
Firms may comply via a host-based solution, or a chip-based solution through the re-issuance of compliant chip-based cards. In both cases, firms should consider the risk of unauthorised and/or non-compliant contactless transactions being made and monitor the implementation of the chosen solution. For firms choosing a chip-based solution, we expect them to prioritise identification and re-issuance of those cards that are used by customers to make contactless payments.
We understand that there may be a period of adjustment which is understandable to ensure minimal disruption, but we urge the industry to comply as quickly as possible, and by no later than 14 March 2020.
After 14 March 2020, failure to comply with the requirements for SCA in contactless transactions will be subject to full FCA supervisory and enforcement action as appropriate.
Contactless Charitable Donations
We are aware of concerns within the charity sector that the new requirements on SCA may lead to a level of disruption in the existing use and future growth of contactless donations.
Given the social benefit of contactless donations, and the associated low risk of fraud, we strongly encourage card issuers and acquirers to continue to work with the charity sector to ensure that contactless donations are not disproportionately disrupted as a result of the new requirements on SCA.
Contactless charitable donations are typically made using offline terminals without functionality to support PIN entry if a transaction is stepped-up for authentication. We understand charities prefer such devices to avoid queues building as the total value of donations would otherwise likely significantly fall.
The introduction of SCA requirements does not mean that these terminals need to be replaced. The industry may continue to process those payments as they currently do now, including by deciding to decline some of these transactions after the event.
While we think the number of payments that are declined may increase with the application of the new conditions of the contactless exemption, we think, based on the information shared by the industry, that this increase is likely to be small.
We will work with the industry to monitor the impact of these changes on the number of payments declined. If the rate of decline increases unexpectedly we will consider what further steps we can take to ensure contactless payments continue to work well for charities.