Strong Customer Authentication (PSD2)

A couple of days ago, new requirements for authenticating payments were roled out accross Europe as part of the second Payment Services Directive (PSD2).

A number of banks and some stores have communicated with their customers on how each business will implement the new regulations.

Posts from two individual threads on the topic have been merged into this new combined thread…

I just received an email documenting upcoming changes to payments at John Lewis / Waitrose… I use my phone (Google Pay) and a Pingit band for most of my transactions and consider this a major pain.

I’m hoping it’ll just be John Lewis who implement this shopping instore in this method; we already have a high abandonment rate where I work as we don’t accept Apple or Google Pay for payments over £30. I personally would consider a switch back to cash if paying by contactless becomes a pain.

What do you guys think about all this?


I agree. I got that message too, but I hadn’t had time to read it properly.

I understand there are changes and they have to do something, but I don’t see why they need the physical card… The rest of Europe is happy with touch and pin.

Surely knowing the PIN is the important bit!


I believe this is actually a change as part of the law, so not one specific to John Lewis. There’s a limit on how much can be spent before you’re prompted for your pin (€150 seems to ring a bell?)

I agree it’ll be a pain. I don’t remember the last time I actually used my card.

Found this as an exemption in a visa document:

SCA is not required subject to
transaction value and velocity


  • The value of the transaction must not exceed €50; and
  • The cumulative limit of consecutive
    contactless transactions without application of SCA (PIN entry or Cardholder Card Verification Method (CDCVM)) must not exceed €150; or
  • The number of consecutive contactless
    transactions since the last application of SCA (PIN entry or CDCVM) must not exceed five

I’ll honestly use the simplest and easiest method of payment, so if cash becomes the simplest method… then cash I shall use.

I will also avoid stores that I know will be a pain in the arse to pay at.

Right now too many retailers, banks and processors are interpreting the rules in so many different ways, its going to get very messy for the next year or so.


I’ll certainly avoid stores that dick me around.

1 Like

I went to B&Q yesterday. Unable to buy what I wanted as they don’t accept any sort of contactless payment at all.

WTF? It’s 2019.


It kinda defeats the entire point of contactless payments that use the stronger authentication of devices such as iOS Wallet or Android.


Same as my local Argos.

Odd, in my local branch they not only accept contactless, but allow transactions above £30 for mobile devices.

B&Q are crap for payments though.

I complained and was told it was a “slow rollout” to the Argos stores… I wouldn’t mind but the payment terminals are the same we use at work and they’re totally capable of contactless.

Also the store is listed as a London branch.

Are Apple and Google Pay not regarded as secure transactions? John Lewis say no, but crazy if not.

1 Like

Strange - every Swindon Argos accepts contactless

well, technically they are but aren’t.

Apple Watch Apple Pay has no requirement for any verification, it’s essentially just a card contactless with some tokenization

Google Pay can be used to amounts of £30 without logging into your phone, too. As such they can be but aren’t always.

You need to input the watch’s PIN when you put it on your wrist. Without it Pay doesn’t work, and in fact the watch doesn’t do much at all apart from telling time. In my mind that’s no different than having your card and PIN: something you have, and something you know.


Oh, wasn’t aware of this

This is really annoying - what a backward step!


This sounds basically the same as the cookie law and GDPR. The EU makes up these laws that sounds reasonable, but them make things difficult for the customer. They basically have no idea of technology or the modern world, all it does is make life more difficult.

(actually thinking about it… I don’t remember the required GDPR and cookie banners and conditions when signing up to this site… but that’s another thread.)


Assuming, it’s not a badly worded email, I doubt that it is just John Lewis, if for no other reason than

John Lewis Financial Services Limited (a subsidiary of HSBC UK Bank plc)

And I assume HSBC know the requirements…

Is that not the company that exists to service the branded financial products though? I very much double that particular subsidiary of HSBC has any involvement when you contactlessly pay for your goods in store.

1 Like