September 17, 2019
Contactless gets a makeover in the UK
By Michel Roig
By Michel Roig
The deadline hanging over Europe is finally here. No, not Brexit, but PSD2’s September 14 mandate for the implementation of SCA (or, to those unfamiliar, Strong Customer Authentication). The European law and its implementation by banks has stirred a lot of discussion across the continent – especially in the UK.
Already leaders in the open banking game, its unsurprising that the British banking world has raced ahead in implementing – and commenting on – enhancements to their authentication methods.
Wait, what is SCA?
SCA outlines that strong authentication (a secure way to validate it’s you making the payment) needs at least two of the following: something you know (eg. your PIN), something you have (eg. your card), something you are (eg. Biometric ID).
As contactless card payments only have one of these elements, the new rules now mean banks are required to request a PIN is entered after every five contactless payments, or once your payments have totaled £135.
Challenger banks in the UK, such as Revolut and Starling, have been especially proactive in their communications on SCA. The message of making contactless more secure is an especially pertinent one in the UK. While a nation of contactless lovers, fear of fraud remains high.
Undoubtedly, SCA mandates will improve security if your card “fell into the wrong hands”. But SCA will also increase friction in some cases. For example, with increased PIN entry requests - contactless may be more secure, but it’s also less convenient…
Revolut has already implemented a method to help combat this, sending mobile push notifications just before you’ll need to authenticate again and enabling consumers to reset their payment limit with fingerprint or face ID in-app. But that’s not the only way biometrics can help.
Bridging the gap
Biometric payment cards offer the perfect answer to SCA requirements. By adding strong authentication to the ‘tap’, consumers can benefit from greater security without harming the user experience of contactless. Or slowing throughput time for merchants!
With the UK’s successful mobile-only challenger banks already utilizing biometrics to authenticate in-app, adding biometrics to payment cards brings authentication harmony across form factors. And in recent weeks, the biometric payment card has garnered even more traction in the UK market.
Use case: BBC explores “the biggest change to payment cards for a decade”
Just a few weeks ago, the BBC (or the British Broadcasting Corporation for those not familiar) got its hands on major UK bank NatWest’s biometric payment card, currently being trialled. Journalist Dan Simmons spoke with our partners NatWest, RBS and Gemalto, to learn more about the details.
The segment went some way to dispel some common myths, explore the benefits and explain in simple terms how it all actually works.
“It’s not CSI!”
Georgina Bulkeley, Director of Strategy and Innovation at RBS and NatWest, went about “shattering television dreams” when probed about the spoof-ability of the new payment cards. An imprint, a stolen thumbprint from a glass, a high-res photograph…able to fool a biometric card? Not quite.
Smart algorithms capture a mathematical representation of your fingerprint – not an image – so high-resolution photographs can’t trick modern sensors. Advanced security features have also reserved cracking biometric systems with sellotape or gummy bear imprints to the realm of sci-fi fiction.
Gemalto’s MD Howard Berg also added that the smart new sensors ‘learn’ when your fingerprint has a slight variation such as a micro-scratch, to minimize false rejection rates.
Take it easy
“Consumers want experiences to be simple and easy,” Georgina added. Saying goodbye to the PIN and fear of contactless card fraud at the same time. Biometric payment cards really make sense.
Another crucial factor, and something demanded by banks and consumers, is the opportunity to remove the payment cap. NatWest and RBS cited lifting the £30 spending limit as a primary motivation for trialing the technology, which aligns with the opinions of a number of banks we spoke to in our research.
Journalist Dan happily took the card for a spin, now able to spend up to £100 a tap, with this likely to be “limitless” by the time it gets to market.
Ready to rock and enroll!
Viewers also saw Dan enroll his fingerprint onto the card with a simple self-enrollment device at home. Over 79% of banks think home enrollment essential to success but crucially, the process just needs to be a frictionless user-experience that gets consumers onboard from the get-go.
So, as PSD2 and SCA hit the headlines in the UK and other European markets, its clear banks have worked hard to bring additional security to contactless. But with banks like NatWest and RBS, it’s promising to see some are already taking this a step further: limiting the disruption of increased security with biometric trust.