Normal people don’t pay much attention to this sort of thing, but I was very interested to see a new sign outside my local Waitrose a few days ago…
I don’t ever remember seeing one of these signs before, but I was happy to see it all the same because thanks to COVID-19, people are discovering that using their mobile phone to pay for their weekly shop is pretty convenient (because the £45 limit does not apply, so you can pay for all of your shopping by mobile) and I doubt they’ll go back to cash. Barclaycard has just reported that more than 90 per cent of face-to-face transactions are now made using contactless (which increased by a quarter in 2019 compared with the year before).
So why is there no limit (well, £10,000 in Waitrose) on mobile payments? Well, it’s actually not a new development! As I wrote here back in 2016, when my colleagues at Consult Hyperion were advising a number of issuers and acquirers about high-value contactless payments and their implications at retail point-of-sale, “Waitrose takes contactless, and they’ve implemented in properly (with CDCVM)”.
If you are not familiar with CDCVM, here’s a quick primer on high-value contactless payments that I wrote a few years ago to explain how authentication options work with the contactless no-CVM (consumer verification method) limits. The no-CVM payment limit is for “tap and go” transactions where there is no PIN, signature or anything else required from the customers who are waving their cards over the contactless readers. This limit has just been raised from £30 to £45, which is why (I assume) that Waitrose had decided to put these signs outside the store.
The “Consumer Device Cardholder Verification Method” (CDCVM) is a type of CVM. CVM is, as I am sure you know, part of the EMV specifications, which allows for a number of different CVMs and any particular card will have the acceptable CVMs stored on it, in an order set by the bank that issued it.
CDCVM is the type of CVM that applies to transactions originating from a contactless device rather than a contactless card. Verification is used to evaluate whether the person waving the phone around to make a contactless transaction is in fact the legitimate user and affects where the liability lies for fraudulent transactions. It’s called device verification because the customer authenticates to their own device, not the reader in Waitrose. It’s not the point of this post, but frankly this is how everything should work in the future, since customers should never be required to authenticate themselves using any device that is not their own. Putting a PIN in your phone is better than putting a PIN into Waitrose’s terminal and not simply because you might catch a deadly disease from it.
When you have a device capable of implementing CDCVM, such as a phone with Apple Pay or Google Pay, then this is used as the CVM. Provided that the terminal is running the correct software, your phone will take care of verification and the issuer can then decided whether or not to authorise the transaction or not based on the enhanced authentication. In the UK the rollout of this “high value contactless” infrastructure began some time before the Apple Pay launch.
What all this means is that the £45 limit does not apply to mobile phones with strong authentication, provided the terminal is running the correct software, of course. Writing about this a few years ago, I noted more than once that consumers, as far as I could tell, needed the payments industry could do with some better communications around this sort of thing. Consumers are not aware of the high-value transaction capability of their devices, and if they were aware of these capabilities, they would have no way of knowing whether the retailer had implemented the necessary software change or not. So if I go to Tesco, for example, I would have no idea whether the limit is £45, £250 (which it is if I use the TescoPay app, plus extra Clubcard points) or whatever is for Apple Pay / Google Pay.
COVID is pushing us from contact to contact-free (via contactless), so now is a good time to follow Waitrose’s lead with clear messaging at POS to help consumers along on this journey.