Virtual Card Pin set PIN number

Hello rev team,

I am asking for the ability to set a PIN number for the virtual cards, so we can pay for more than 30 EUR in stores using Google Pay.

Much respect,
Marios

Edit: definition of payment method and spelling.

2 Likes

I’m not sure if I understand your issue. Are you not able to pay contactless for more than 30 EUR with Google Pay/Fitbit Pay/Garmin Pay? If that’s the case, I think that’s an issue with older terminals.

2 Likes

There is a contactless limit and if you pass it the device asks for pin number in EU. I am not going to lie but I haven’t yet got in a situation like that, but I have read from other people that it is happening.

I’m aware of the issue, I’m just curious how big of an issue it is. Personally, I’ve never run into the issue. As far as I know, it is only an issue with older terminals who accepted contactless payments when al you could use was ‘’tap and pay’’ with your card and since then have not updated them.

I’m not saying having PINs for viritual cards would be great, but it if is an issue someone often faces you have two options: Pay with a regular card or add your physical card to your digital wallet. Personally, I don’t look at this as a high priority.

My virtual cards are Visa and won’t even work with Google Pay in PoS.
However, I need to enter PINs frequently and I do not think it has to do with the terminal. :man_shrugging:t3: If I could add a Visa, a PIN of course would be great.

It doesn’t actually work with your phone security code/ PIN / fingerprint?!

@BendikHa @Iskender

Some countries have artificial limits on all of the terminals, this is mainly due to the way the country’s banking system works (for instance PIN etc is verified by the bank themselves rather than the chip on the card)

It can also be due to a consensus within the country discussed by all the major banks, which has set the standard for example, to have 25€ cap with anything above requiring PIN. For instance I know ATMs have contactless like this.

So yeah, it’s not an issue with outdated terminals. It’s an actual issue that isn’t going to change, too.

My suggestion would be to add PINs to the virtual cards or to not allow these cards for contactless payments. Probably I’d pick the latter, if you want contactless I’d have you get a physical card so you’d at least have a physical card if you needed it in your home.

I’m not sure if this is present in Norway (@BendikHa) or your country of residence/travel (@Iskender)

In Bulgaria for instance all contactless transactions above 25 BGN /around 12.5€/ requires PIN.
I know form people that have Apple Pay enabled cards that for now when using them trough Apple Pay this does not apply.

2 Likes

Apple gives country specific informations about this on their apple support pages. Bottom line is that it depends on many different things like national regulation, specific settings of POS terminals (merchants can override many settings) and contracts with payment network providers. Apple Pay is often considered a tiny bit more secure, which influences decisions about risk management and technical details about how a card is accepted. That’s why Apple Pay might work for large amounts and Google Pay (or other mobile payment systems) do not.

The European Payments Council basically recommends strong 2FA (like a PIN) above around 25 EUR (if I remember this correctly), but it doesn’t specify where this happens, on the POS terminal or on the phone itself via Touch ID / Face ID, like it is mandatory with Apple Pay. (That’s actually one of the differences between Apple Pay and Google Pay: with Apple, all payments are always authorized, not only the ones larger than 25 EUR. The user can’t skip this.)

It’s the same threshold as for contactless card payments. Google Pay only needs additional authentication for payments above the threshold, it can handle on device authentication, but it seems many POS terminals aren’t configured to accept on device CDCVM (Consumer Device Cardholder Verification Method).

1 Like

That was a very detailed explanation! I didn’t know about this so I want to clear it up.
You said that Apple Pay uses 2fa with every transaction, does the terminal know that you input the correct fingerprint? I thought it was just the phone that transmitted the NFC signal after the input, not the terminal accepting it.
If that’s true then if theoretically if I have my Android phone unlocked and not in the lock screen, I can pay for whatever the price may be without asking me for the pin number.

PS: I recently saw an article about a debit card with a fingerprint, that “allowed bigger transactions” to be executed. That may be the answer to my question itself.

Yes. Even if an Apple iPhone user does not lock the phone, every transaction, even below the contactless limit, has to be verified by either face or fingerprint. That’s Apple specific. And of course the level of authorization is transmitted to the terminal.

With unlocked phones and no further authorization, payments are only possible up to the „contactless“ limit. But not with iPhones. That’s just not an option with Apple Pay.

1 Like

There’s no NFC signal otherwise, so the terminal doesn’t “know”, but it also doesn’t have to.

The question wasn’t really if the terminal knows how 2FA happened, I believe. Important is that it does get confirmation 2FA was applied. And it must know, otherwise CDCVM (Consumer Device Cardholder Verification Method) wouldn’t work.

2 Likes

Correct. I also forgot about the fact that the fingerprint was (is?) only requested by the phone after the transaction was initiated by the terminal (unlike FaceID).

I don’t think there’s a difference in theory between Touch ID and Face ID. It’s just a tiny bit slicker with Touch ID in real life:

With Touch ID, unlocking, initiating and accepting a payment is basically the same user action. With Face ID, payment is initiated with a double tap on the side button, then the phone waits for positive Face ID. Having the phone unlocked before with Face ID is not enough.

So ironically, the UX for Apple Pay is worse with Face ID. It just proofs how incredibly well Apply Pay with Touch ID was initially thought through. Not even Apple can beat itself here.

No, I think that’s the part I was missing. With Touch ID it is the reader initiating the process on the device (at least it used to be). With Face ID it is the user.

What is a “PIN number”? Does it stand for “personal identification number number”? :wink:

1 Like

When using Apple Pay in Brazil this year with my iPhone 8 at an official Apple Pay merchant (PĂŁo de AçĂșcar supermarket) for BRL 92.10 (above the BRL 50 limit for physical contactless cards), I was asked to enter my PIN on the card terminal, even though I had already performed 2FA using Touch ID. I was tempted to enter the wrong PIN to see whether the PIN was actually checked, but decided to enter the correct PIN to avoid hassle. 3FA is over the top, even in a high-crime country like Brazil.

Anyway my point is to give an example that a PIN can be unexpectedly requested, even when using 2FA contactless, so it’s a valid request.

3 Likes

Yes, that’s right. When an activated NFC POS terminal is close, the iPhone senses it. Placing the finger on the sensor before the iPhone senses a terminal was already a way to speed up the process. So having the phone unlocked and the finger on the sensor before coming close to the terminal was a very intuitive and effortless way that felt like one doesn’t really have to do anything at all.

Similar to that, Apple’s recommendation for Face ID is double tap, then look at it, and only then, with a ready and authorized phone, get near the terminal.

People were complaining that they have to look at their phone in an awkward way while it’s held in front of the reader to do Face ID. That’s neither necessary nor recommended.

The flow is very similar, at least when following Apple’s s recommendation, but double tapping kind of replaces the iPhone‘s auto-sense mechanism (Technically, the payment would be still initiated by the terminal, because without the terminal being awaiting the payment, the phone would not activate the wallet app with Touch ID. But that’s just terminology. I believe we’re talking about the same thing here.)

I don’t personally see the issue with MFA used, it makes things more secure. It may be “over the top” but I’d argue that you can never be too cautious with security.