By Peter Alcock, head of product marketing at NMI
A nail in the coffin for cash
Recent surveys found more than half of UK businesses would remove the option of cash payments in stores, and even more are urging for the contactless payment cap to be increased still further. Likewise, kiosk operators must be prepared to support unattended contactless payments, as consumer sentiment shifts towards these being a need rather than just a want. So what do these payments look like in action for kiosk operators and payment system integrators as adoption accelerates and contactless payment limits in the UK increase?
Take it to the limit
With banks and retailers associations pushing hard, it seems that an almost doubling of the contactless limit is inevitable later in 2021. But is this all good?
During the early part of the pandemic, the contactless payment limit was increased from £30 to £45. In January this year, the UK Financial Conduct Authority consulted the payments industry on whether the contactless limit should be increased again, to £100 or £120.
Retailers love contactless payments. This payment option is fast, reduces queues and retailers are not liable for most fraud if someone uses a stolen card. This is because contactless transactions, accepted on an approved, bank-certified terminal are deemed to be as secure as Chip and PIN. The merchant is indemnified through the liability shift, and it is the banks (issuers) that have to take the hit. The banks are clearly willing to accept this greater liability because the higher limit enables greater cardholder convenience and presumably, shoppers are likely to spend more.
Since around 2017, contactless transactions have been authorised online. This means that seconds after a card is reported to the bank as being lost or stolen, a transaction attempted with that card will be declined. Therefore, the window of opportunity for a thief is the time between gaining illegal possession of the card and it being reported lost. During that time, up to five contactless transactions can be made toward the cumulative value limit set by the bank. If the contactless transaction limit is raised, so too will the cumulative limit. In turn, the value of the goods that can be fraudulently purchased goes up, which would seem to be even more bad news for the banks.
From a cardholder’s standpoint, it’s important to realise that if, say, a debit card is stolen and fraudulent transactions made, they will initially come out of the cardholder’s account. They will be refunded by the bank in due course, but for those who are financially vulnerable, it could cause utility direct debits or rent payments to fail, bringing immense hardship. If the limit was raised to £100, a cardholder would suffer twice the size of short-term loss if their card was stolen, and the impact on the lives of those already struggling to make ends meet could be catastrophic.
Since the introduction of Chip and PIN, card-present fraud has fallen as everyone expected, and EMV Chip and PIN is regarded worldwide as the gold standard in terms of payment security. It’s true two-factor authentication is all but uncrackable. Chip and PIN is the proper system for high-value card payments. To raise the contactless limit is taking a system designed for fast, low-value payments, and trying to use it for something it was never intended for.
The impact of SCA on kiosks accepting payments
If you accept contactless card payments on your kiosks, you’ll doubtless be aware of the latest change to hit the industry – Strong Customer Authentication, or SCA. This means when a customer buys something from one of your machines and pays with a contactless card, they may be prompted to insert their card and enter a PIN. This is fine if your payment device has a card slot and a PIN pad, but a problem if it doesn’t. Potentially a lost sale and/or an unhappy customer.
To see why this isn’t a new or significant problem, it’s useful to understand how contactless transactions work. Around five years ago, card issuers had 70 million contactless cards in issue in the UK and the card schemes made a real push to get retailers to upgrade their card terminals and to encourage cardholders to use them for low-value payments. The self-service industries such as vending, parking, tolls and kiosks could take card payments with just a tap, with no need to verify the transaction with a PIN. The only proviso was that the transaction had to be under the contactless limit – at the time around £30 – and that there was a limited number of sequential contactless transactions or cumulative value that could be made before re-validating your card through a Chip and PIN transaction. So all was well, and low-cost card payment for vending was realised.
Separately to all this, the EU Payments Services Directive (PSD2) brought in new laws in January 2018 to improve consumer rights and reduce many kinds of payment fraud. An important element of PSD2 is SCA, commonly known as two-factor authentication.
For certain contactless transactions made using a card or smartphone, the cardholder will need to provide additional identification. This could be in the form of a PIN, a biometric or a one-time passcode sent to a phone. Now all this is fine, and understandable for general retail or eCommerce, but why should it have to apply to kiosks? Let’s examine the risks associated with credit card payment:
- The majority of kiosk transactions are at a low average transaction value.
- The services provided are not normally able to be resold for cash.
PSD2 provides a number of exemptions to SCA, to minimise friction in customer payment journeys and one of these is the Merchant Category Code (MCC) exemption. Unattended transactions from Parking, Road and Bridge Tolls and Transportation Ticketing are exempt from SCA. In the UK, Contactless charity donations from Charities are also exempt.
The other relevant provision is the low-value exemption. Card transactions below €50 are considered low value and are generally exempt from SCA. However, if the customer initiates more than five consecutive low-value payments or if the value of the total payments exceeds €100, SCA will be required.
So is the kiosk and vending industry being singled out? The important thing here is that for the low-value transactions we typically see in kiosks and vending, SCA is no different to the limits which are already in force for normal contactless transactions. The majority of vending customers will simply try another card if their first is declined, and remember a Google Pay or Apple Pay transaction always authenticates the user, so will not decline.
Why phone-based contactless payments are different
Mobile wallet schemes such as Google Pay and Apple Pay work by tokenising a user’s card details during the one-time registration process and securely storing these within the smartphone or tablet. The difference between a contactless card transaction and a mobile wallet transaction is that in order to invoke payment on a phone, some sort of authentication of the user has to take place, usually biometric or a passcode. This counts as a second factor in securing a contactless transaction, making it as good in banking terms as Chip and PIN. For this reason, the contactless limit doesn’t apply.
So how do I add contactless payment to my kiosk?
There are two elements to integrating a card payment device with a kiosk; physical – how the reader is going to be mounted, and electrical – how the reader will connect to your kiosk’s computer and the software required to drive it. The first thing is to decide on a payment device based on the acceptance method you wish to offer (contactless, chip, magstripe) and whether payment values above the contactless limit will need to be accepted. For example, an airline ticketing kiosk may need to process transactions over £100, so a Chip and PIN device would be essential.
Most readers intended for use in unattended indoor environments such as those from Payter, Crane, Ingenico and OTI have an option to surface mount the reader or recess it into the kiosk itself, the latter being the neatest option.
Connecting the payment device to the kiosk’s controller computer is usually as simple as plugging in a USB. Processing transactions requires contracting with a payment gateway that acts as a link between your kiosk and the bank with which you have your merchant account. Check with the payment gateway that they have a certification of the payment device you want to use with your bank. Next, either the gateway or the device manufacturer will provide you with an API (programming interface) or SDK (Software development kit) to allow your kiosk software to send payment requests to the payment device. Once your developers have completed the integration and sent test transactions, you’re ready to deploy.