Changes to Contactless and Online Security

I’m sure that many of you are already well aware of recent changes affecting the security experience for cards, but I’ve noticed that there are still a lot of questions about what this will mean in practice, and I will be happy to answer as many as I can (as they relate to how Dozens is implementing the regulations).

To kick things off, please read our blog post:

Everything you need to know about the new card regulations you’ve been hearing about

Card%20reg%20illustration%20large

The first change that we will all notice is an effect of SCA - Strong Customer Authentication. It means that contactless transactions will be limited to 5 ‘taps’ or a total of £135 (€150) before you will need to confirm that you still have the card.

The best way I have found to understand this is that it is similar to having a session on a website - you log in to prove it is you, but after a while you are automatically logged out so no-one else can come along and use your account on an unattended computer. If you want to keep shopping, then you need to log in again.

It will not affect TfL and some other tap-and-go transactions, but we will all have to get used to putting the card in the reader a bit more often than we have been used to recently.

The second is that we are rolling out 3DS for all customers - you may not see it yet for all online transactions, but it will happen for all shortly.

The point here is that since for some transactions, neither the customer NOR the card are present, and so to know the transaction is genuine, we will need to ask for confirmation using a second factor - such as sending you an SMS on your registered mobile, or getting you to log into the app.

The technical implementation will develop over time, but you will see this being requested more regularly soon.

If you have any questions or comments, please do let us know here and we will do our best to answer them

5 Likes

Why oh why not use an authenticator app instead of SMS?

Authy/Google Authenticator would be amazing!

1 Like

Well, it is a great potential solution.

However, very few people use such tools, and those who do, use various different ones. It creates lots of new problems, and makes it quite a technical solution (transferring your authenticator account from one device to another requires skills worth of Bletchley Park, particularly if it has been lost).

However, that is not to say that we are not working on adding further options and streamlining the process. We will definitely look into this more and hopefully find a solution that helps our particular customers.

An in-app notification unless specifically requesting SMS would be good.

Where I live mobile signal is actually very hit and miss, I’m lucky I have a signal booster, but I know my neighbours don’t, so SMS options for them would not work. I know people seem to think the whole country is covered by mobile signal and it works all the time, so SMS is great, in practice it does not for lots of people. And I only live 20 miles outside of London.

So I think a choice SMS or App notifications is better as it covers all eventualities, if you have your phone then you will have access to App notifications if you are in a poor signal area.

When I was in Italy the mobile signal was so bad I had to get a local SIM card, so SMS notifications would affect those travelling in some countries as well. SMS just seems a backwards step.

3 Likes

Same here - no mobile signal at home. I have changed to ID Mobile to get WiFi calling but that is inconsistent. With lots of institutions using SMS OTP as well I struggle to use on-line banking etc. On-line shopping will probably have to stop - which may not be a bad thing :smiley:, and whilst I appreciate the need I don’t like the additional friction. R-

Well, it doesn’t have to be all or nothing.

Google, Amazon etc all let you set up multiple options, so authenticator, SMS and second phone number, for example. So it’s not so catastrophic if you lose one method.

Also, backup codes! You could even have a pinentry type code generator as a backup backup.

Loads of ways to do this elegantly.