Waving in Waitrose

Normal people don’t pay much attention to this sort of thing, but I was very interested to see a new sign outside my local Waitrose a few days ago…

Wave Wonga at Waitrose

I don’t ever remember seeing one of these signs before, but I was happy to see it all the same because thanks to COVID-19, people are discovering that using their mobile phone to pay for their weekly shop is pretty convenient (because the £45 limit does not apply, so you can pay for all of your shopping by mobile) and I doubt they’ll go back to cash. Barclaycard has just reported that more than 90 per cent of face-to-face transactions are now made using contactless (which increased by a quarter in 2019 compared with the year before).

So why is there no limit (well, £10,000 in Waitrose) on mobile payments? Well, it’s actually not a new development! As I wrote here back in 2016, when my colleagues at Consult Hyperion were advising a number of issuers and acquirers about high-value contactless payments and their implications at retail point-of-sale, “Waitrose takes contactless, and they’ve implemented in properly (with CDCVM)”.

If you are not familiar with CDCVM, here’s a quick primer on high-value contactless payments that I wrote a few years ago to explain how authentication options work with the contactless no-CVM (consumer verification method) limits. The no-CVM payment limit is for “tap and go” transactions where there is no PIN, signature or anything else required from the customers who are waving their cards over the contactless readers. This limit has just been raised from £30 to £45, which is why (I assume) that Waitrose had decided to put these signs outside the store.

The “Consumer Device Cardholder Verification Method” (CDCVM) is a type of CVM. CVM is, as I am sure you know, part of the EMV specifications, which allows for a number of different CVMs and any particular card will have the acceptable CVMs stored on it, in an order set by the bank that issued it.

CDCVM is the type of CVM that applies to transactions originating from a contactless device rather than a contactless card. Verification is used to evaluate whether the person waving the phone around to make a contactless transaction is in fact the legitimate user and affects where the liability lies for fraudulent transactions. It’s called device verification because the customer authenticates to their own device, not the reader in Waitrose. It’s not the point of this post, but frankly this is how everything should work in the future, since customers should never be required to authenticate themselves using any device that is not their own. Putting a PIN in your phone is better than putting a PIN into Waitrose’s terminal and not simply because you might catch a deadly disease from it.

When you have a device capable of implementing CDCVM, such as a phone with Apple Pay or Google Pay, then this is used as the CVM. Provided that the terminal is running the correct software, your phone will take care of verification and the issuer can then decided whether or not to authorise the transaction or not based on the enhanced authentication. In the UK the rollout of this “high value contactless” infrastructure began some time before the Apple Pay launch.

66B9D7E7 9A57 40D8 BD88 1919B9EA2D1E

What all this means is that the £45 limit does not apply to mobile phones with strong authentication, provided the terminal is running the correct software, of course. Writing about this a few years ago, I noted more than once that consumers, as far as I could tell, needed the payments industry could do with some better communications around this sort of thing. Consumers are not aware of the high-value transaction capability of their devices, and if they were aware of these capabilities, they would have no way of knowing whether the retailer had implemented the necessary software change or not. So if I go to Tesco, for example, I would have no idea whether the limit is £45, £250 (which it is if I use the TescoPay app, plus extra Clubcard points) or whatever is for Apple Pay / Google Pay.

COVID is pushing us from contact to contact-free (via contactless), so now is a good time to follow Waitrose’s lead with clear messaging at POS to help consumers along on this journey.

Some off-the-cuff comments on in-the-cuff payments

It’s amazing what sort of things trendy youngsters in the payments space are getting up to these days. Only today, I read that the UK-based DressCode has released “the ultimate in geek chic“, which turns out to be a shirt with a pocket in the cuff to hold a contactless chip for payments.

The ultimate in geek chic? Sorry dudes. I had a Thomas Pink “Commuter” shirt back in 2006! The Commuter shirt had two features that I really liked at the time. It had a channel running up the inside to carry earphone cables tucked away out of sight. These connected through a hole in a side pocket so that you could keep your iPod snug and out of the way while strolling through London’s fashionable West End listening to the mighty Hawkwind. The shirt also had that second pocket in the cuff to hold a contactless card.

It was designed really for Oyster cards, but we put Visa cards in the pocket to make purchases using standard POS terminals with contactless interfaces. As I recall, we bought a few of them as presents for some of our favourite customers as well! Anyway, I went upstairs and got it out of the wardrobe to model it for you:


The point I used to make was that contactless was about more than the interface, it was about form factors and that it would lead to innovation and I used the shirt to show an example of innovation beyond the card itself. Although the shirt was fun and helped to make an interesting demo about contactless payments in conference presentations, I thought it had two design flaws.

First of all, the pocket was behind the cuff on the top of the wrist. This meant you had to lay the back of your forearm across the contactless POS terminal or Oyster card reader. The pocket really should have been on the underneath of the forearm near the wrist to make paying a more natural action.

The second problem was that if you were wearing a suit and coat, it was hard to get the card close enough for the reader. I remember thinking at the time that I wished that the pocket was in my suit rather than in my shirt.

Naturally, being a consultant rather than an entrepreneurial business go-getter my thoughts went no further. I was surprised to see that only eight years later some entrepreneurial Aussies went and did just as I’d thought about, and put the payment card pocket in the suit! I found out that the dynamic and chic (I assume) menswear specialists M.J. Bale and Visa had teamed up to create a suit with a contactless payment chip and antenna woven into the sleeve! Apparently the “power suit will let men pay ‘invisibly’ wherever Visa payWave is accepted”. I expect they were planning something for the ladies too but it’s not mentioned in the article.


Anyway, how fun. These days of course I wouldn’t use either the cable run (because I have AirPods – in fact I have AirPods2 which are absolutely awesome) or the card (because I have a smartphone and that’s what I use to pay). Nevertheless, I wish DressCode all the best with their chic project.