We are pleased to feature a guest blog from Timur Yunusov at Payment Village – Timur unpacks the topic of contactless cumulative limits and how they work.
If you live in the UK, you might have noticed changes in how you pay with your contactless card in the last few years. It was fairly obvious back in the day: you can tap your card if the purchase amount is below £30. Or you need to insert the card using the chip if it’s above £30. But it’s not so simple anymore – every now and then terminal declines the payment for your embarrassment and asks to insert the card and enter the PIN even when you are buying £1 newspaper. Sometimes you may not even remember the PIN for some of your cards that you only used to tap.
There is a reason for that, and the reason is called “Cumulative Limits”.
Cumulative Limits are the part of Strong Customer Authentication (SCA), a part of a larger implementation in financial markets that was put in effect in 2019 – PSD2 (Payment Service Directive).
The overall goal of the SCA is to make transactions more secure and finally get rid of outdated forms of payments such as magstripe or online payments without 3D-Secure.
Cumulative Limits, in particular, affect contactless payments to tackle “Tap and Go” fraud.
Let us dwell a bit more into that area. First of all, the UK is a unique country when it comes to talking about contactless limits. Most of the countries have “Soft Tap and Go Limits”. For example, if in the EU the payment is above the €50 “Tap and Go” limit, the customer still can tap the card, but he will have to enter the PIN on the PINPad. But in the UK, it’s impossible – the terminal will offer you to dip your card using the chip. And only after that you will be asked to enter the PIN. That is known as the “hard limits”. As you can see, it’s not very convenient. That is why payment systems (Visa, MasterCard) and banks were eager to increase these limits. Before COVID, the UK hard limits were £30, shortly after – £45, and nowadays – £100.
Security aspects
A security loophole is allowing fraudsters to break the £30 spending limit for contactless bank cards. Banks and retailers are allowing customers to cover a single bill of more than £60 by making several ‘tap-and-go’ payments of £30 each.
That was the warning from Daily Mail in 2019: (https://www.dailymail.co.uk/news/article-7539837/Contactless-card-crooks-cashing-thanks-double-tap-trick.html), and that was one of the reasons why losses from stolen cards were always so high.
As you can imagine, the numbers of such fraud would have spiked along with the increased limits. This is when the Cumulative Limits come into play. PSD2 mandates that after five low-value purchases below Tap and Go limits OR the amount of money equal to five maximum payments (I will use the up-to-date example 5*£100 = £500), the customer will have to carry out an additional verification. For card payments, it would be either inserting the card and entering the PIN or verifying in another manner which I will talk about in a minute.
The majority of the banks have made their own implementations accordingly to the PSD2 regulation. However, there are some vendor’ solutions as well as open-source solutions.
For example, in 2019, “Salt Edge, a financial API platform with PSD2 and Open Banking solutions, has presented to the open source community its new project – Salt Edge Authenticator” (Read more:https://thepaypers.com/payments-general/salt-edge-releases-an-open-source-solution-for-sca-and-dynamic-linking-under-psd2–1239352).
Cumulative limits in action
Let us look at how UK banks are prepared and their exact solutions. For the demonstration, I took one Monzo and one Revolut card.
The official Monzo statement is that even they have “increased the limit for contactless card payments from £45 to £100 *** you’ll be able to spend a total of £200 using contactless, before we ask you to put your PIN in. This could be two £100 payments, five £40 payments, or 20 payments for £10, for example.” (Read more:https://monzo.com/blog/youll-be-able-to-make-contactless-payments-up-to-gbp100-to-make-paying-more )
Let’s see this in action:
Step 1. Making a £100 contactless purchase. Everything goes frictionless:
Step 2. Making another £80 payment. Monzo app is already warning us that it could ask to insert the card and use chip next time:
Step 3. But if the cardholder makes only £20 payment, the limit won’t be reached so no PIN would be asked at that point:
Step 4: But after the Cumulative Limit of £200 is reached, no more contactless payments are allowed:
And even you don’t have your phone, most of the terminals would suggest what to do next:
From now on, until the card is inserted with the chip, no more payments could be made:
Revolut, on the other hand, still has a £45 limit for one purchase, and the total Cumulative Limits are equal to £145, which is less than four £45 payments made in total.
Looking at the same steps:
Step 1. Making a £45 contactless purchase. No issues.
It is also easy to track the spending in the mobile app:
Step 2. Making a few £1-£45 payments. After £100, the app will start notifying about resetting the limits or using the chip:
At this point, cardholders already could make their life easier and reset the Cumulative Limit counter back to zero:
Step 3. If no, and the total amount that is spent would exceed £145, the customer would meet the same situation when a payment terminal asks to insert the card:
Common practice
Most banks carry out checks during the transaction authorisation process and try to check the total amount that has been spent rather than the number of payments made. E.g. if a customer will make five £5 purchases, PSD2 requirements could already be in place, but most of the banks would prefer to wait until the overall spend exceeds their spending limits, like £225, £145 or similar.
After the limits are reached, the bank has two options: ask to insert the card instead of tapping or reset the limit using the mobile app that is sometimes more convenient to the customer.
Although these scenarios are the most popular, a few banks have developed their own “novel” schemes. A few examples: non-existing anymore Bo bank (an RBS attempt to jump into fintech) had made five transactions counter on the card. As an outcome of such decision back in the day, Bo bank asked to throw away their cards and had to reissue them “to more than 6,000 of its customers who signed up to the app before January 3, in an effort to comply with new EU banking rules.” (Read more: https://www.thisismoney.co.uk/money/saving/article-7971111/RBSs-digital-bank-Bo-tells-customers-shred-cards.html)
Earlier in 2021, I took six UK cards and checked their security, asking a very simple question: Is it possible to make more than five £45 purchases and spend more than £225? Unfortunately, most banks allowed me to bypass these limits using some well-known hacking techniques. The examples of these fraudulent scenarios are available in our whitepaper: https://www.paymentvillage.org/resources/card-fraud-in-a-psd2-world-a-few-examples.
Summary
Implementation of Strong Customer Authentication and Cumulative Limits didn’t go smoothly from the beginning. PSD2 should have been in place by the end of 2019.
Only a few banks had implemented the Cumulative Limit for their contactless cards by that time. In 2020, because of COVID, Finacial Conduct Authority said, “it is unlikely to take enforcement action against firms if they choose not to apply SCA.” (Source: https://www.linklaters.com/en/insights/blogs/fintechlinks/2020/april/fca-relaxes-authentication-rules-for-payment-transactions-as-contactless-limit-increases).
If you prefer high-street banks, most likely you won’t see the Cumulative Limits affecting your contactless card’ operations. A few big banks like Lloyds, however, already implemented the feature that allows their customer to choose an individual contactless limit for one transaction in the range from £0 to £100.
If you are one of the neo-banks cardholders, it’s more likely that your bank will implement the Cumulative Limits, as they are trying to be in the front line of technology and make the experience of their customers significantly different from their competitors. When the implementation will be made, it’s likely that you will meet some inconvenience at first. However, neo-banks give a lot of flexibility and make contactless payments a new routine.
Timur Yunusov
Timur Yunusov is one of the Payment Village organisers. The ultimate goal of this non-commercial organization is to share knowledge about payment security domains and make payments simpler for experts and more secure for users.