Hello rev team,
I am asking for the ability to set a PIN number for the virtual cards, so we can pay for more than 30 EUR in stores using Google Pay.
Much respect,
Marios
Edit: definition of payment method and spelling.
Hello rev team,
I am asking for the ability to set a PIN number for the virtual cards, so we can pay for more than 30 EUR in stores using Google Pay.
Much respect,
Marios
Edit: definition of payment method and spelling.
Iâm not sure if I understand your issue. Are you not able to pay contactless for more than 30 EUR with Google Pay/Fitbit Pay/Garmin Pay? If thatâs the case, I think thatâs an issue with older terminals.
There is a contactless limit and if you pass it the device asks for pin number in EU. I am not going to lie but I havenât yet got in a situation like that, but I have read from other people that it is happening.
Iâm aware of the issue, Iâm just curious how big of an issue it is. Personally, Iâve never run into the issue. As far as I know, it is only an issue with older terminals who accepted contactless payments when al you could use was ââtap and payââ with your card and since then have not updated them.
Iâm not saying having PINs for viritual cards would be great, but it if is an issue someone often faces you have two options: Pay with a regular card or add your physical card to your digital wallet. Personally, I donât look at this as a high priority.
My virtual cards are Visa and wonât even work with Google Pay in PoS.
However, I need to enter PINs frequently and I do not think it has to do with the terminal. If I could add a Visa, a PIN of course would be great.
It doesnât actually work with your phone security code/ PIN / fingerprint?!
Some countries have artificial limits on all of the terminals, this is mainly due to the way the countryâs banking system works (for instance PIN etc is verified by the bank themselves rather than the chip on the card)
It can also be due to a consensus within the country discussed by all the major banks, which has set the standard for example, to have 25⏠cap with anything above requiring PIN. For instance I know ATMs have contactless like this.
So yeah, itâs not an issue with outdated terminals. Itâs an actual issue that isnât going to change, too.
My suggestion would be to add PINs to the virtual cards or to not allow these cards for contactless payments. Probably Iâd pick the latter, if you want contactless Iâd have you get a physical card so youâd at least have a physical card if you needed it in your home.
Iâm not sure if this is present in Norway (@BendikHa) or your country of residence/travel (@Iskender)
In Bulgaria for instance all contactless transactions above 25 BGN /around 12.5âŹ/ requires PIN.
I know form people that have Apple Pay enabled cards that for now when using them trough Apple Pay this does not apply.
Apple gives country specific informations about this on their apple support pages. Bottom line is that it depends on many different things like national regulation, specific settings of POS terminals (merchants can override many settings) and contracts with payment network providers. Apple Pay is often considered a tiny bit more secure, which influences decisions about risk management and technical details about how a card is accepted. Thatâs why Apple Pay might work for large amounts and Google Pay (or other mobile payment systems) do not.
The European Payments Council basically recommends strong 2FA (like a PIN) above around 25 EUR (if I remember this correctly), but it doesnât specify where this happens, on the POS terminal or on the phone itself via Touch ID / Face ID, like it is mandatory with Apple Pay. (Thatâs actually one of the differences between Apple Pay and Google Pay: with Apple, all payments are always authorized, not only the ones larger than 25 EUR. The user canât skip this.)
Itâs the same threshold as for contactless card payments. Google Pay only needs additional authentication for payments above the threshold, it can handle on device authentication, but it seems many POS terminals arenât configured to accept on device CDCVM (Consumer Device Cardholder Verification Method).
That was a very detailed explanation! I didnât know about this so I want to clear it up.
You said that Apple Pay uses 2fa with every transaction, does the terminal know that you input the correct fingerprint? I thought it was just the phone that transmitted the NFC signal after the input, not the terminal accepting it.
If thatâs true then if theoretically if I have my Android phone unlocked and not in the lock screen, I can pay for whatever the price may be without asking me for the pin number.
PS: I recently saw an article about a debit card with a fingerprint, that âallowed bigger transactionsâ to be executed. That may be the answer to my question itself.
Yes. Even if an Apple iPhone user does not lock the phone, every transaction, even below the contactless limit, has to be verified by either face or fingerprint. Thatâs Apple specific. And of course the level of authorization is transmitted to the terminal.
With unlocked phones and no further authorization, payments are only possible up to the âcontactlessâ limit. But not with iPhones. Thatâs just not an option with Apple Pay.
Thereâs no NFC signal otherwise, so the terminal doesnât âknowâ, but it also doesnât have to.
The question wasnât really if the terminal knows how 2FA happened, I believe. Important is that it does get confirmation 2FA was applied. And it must know, otherwise CDCVM (Consumer Device Cardholder Verification Method) wouldnât work.
Correct. I also forgot about the fact that the fingerprint was (is?) only requested by the phone after the transaction was initiated by the terminal (unlike FaceID).
I donât think thereâs a difference in theory between Touch ID and Face ID. Itâs just a tiny bit slicker with Touch ID in real life:
With Touch ID, unlocking, initiating and accepting a payment is basically the same user action. With Face ID, payment is initiated with a double tap on the side button, then the phone waits for positive Face ID. Having the phone unlocked before with Face ID is not enough.
So ironically, the UX for Apple Pay is worse with Face ID. It just proofs how incredibly well Apply Pay with Touch ID was initially thought through. Not even Apple can beat itself here.
No, I think thatâs the part I was missing. With Touch ID it is the reader initiating the process on the device (at least it used to be). With Face ID it is the user.
What is a âPIN numberâ? Does it stand for âpersonal identification number numberâ?
When using Apple Pay in Brazil this year with my iPhone 8 at an official Apple Pay merchant (PĂŁo de AçĂșcar supermarket) for BRL 92.10 (above the BRL 50 limit for physical contactless cards), I was asked to enter my PIN on the card terminal, even though I had already performed 2FA using Touch ID. I was tempted to enter the wrong PIN to see whether the PIN was actually checked, but decided to enter the correct PIN to avoid hassle. 3FA is over the top, even in a high-crime country like Brazil.
Anyway my point is to give an example that a PIN can be unexpectedly requested, even when using 2FA contactless, so itâs a valid request.
Yes, thatâs right. When an activated NFC POS terminal is close, the iPhone senses it. Placing the finger on the sensor before the iPhone senses a terminal was already a way to speed up the process. So having the phone unlocked and the finger on the sensor before coming close to the terminal was a very intuitive and effortless way that felt like one doesnât really have to do anything at all.
Similar to that, Appleâs recommendation for Face ID is double tap, then look at it, and only then, with a ready and authorized phone, get near the terminal.
People were complaining that they have to look at their phone in an awkward way while itâs held in front of the reader to do Face ID. Thatâs neither necessary nor recommended.
The flow is very similar, at least when following Appleâs s recommendation, but double tapping kind of replaces the iPhoneâs auto-sense mechanism (Technically, the payment would be still initiated by the terminal, because without the terminal being awaiting the payment, the phone would not activate the wallet app with Touch ID. But thatâs just terminology. I believe weâre talking about the same thing here.)
I donât personally see the issue with MFA used, it makes things more secure. It may be âover the topâ but Iâd argue that you can never be too cautious with security.