Ensignbus £10 contactless limit and Apple Pay / Google Pay ban

[TTS]

I understand that for offline transit transactions, the banks accept fraud liability for transactions below £10, and the operator is liable for transactions above this. Which explains why they have introduced a £10 limit (although does not explain why they have completely stopped Apple/Google, or why they think 2 x £10 transactions to pay for a £20 ticket would be ok).

Even our vending machines at work, where the maximum item is £1.20, are online.


Agree - offline contactless should only be used for very low value transactions (e.g. single fares) where, ultimately, the value can be written off without too much impact if it turns out to be fraudulent.

I still find it hard to understand how they didn't notice such a huge shortfall. I suspect, as you say, they are not fully familiar with how the systems work.

This does seem strange although we may not know the full facts. In my experience, payment processors clearly show declined transactions in their reporting. Maybe these were not initially noticed or investigated. Bus travel is an intangible, so there is no apparent "loss", it merely appears that less people have travelled (and paid). In the retail environment where tangible 'products' are involved, a declined transaction means the product has left the shelves without payment. The shop paid the supplier for the product; the customer did not pay the shop.

The £10 limit for offline transactions is my understanding. Above £10, the merchant (bus operator, here) is at risk. The 2 x £10 workaround is not really kosher.

 

[Bletchleyite]

The 2 x £10 workaround is not really kosher.

It's more than "not kosher", it's likely a breach of the merchant agreement at a minimum, and arguably any money reclaimed through it is fraudulently obtained. I'm utterly astonished the company are openly doing it.

 

[markymark2000]

I think it's fine to use them for season tickets with barcodes or on smartcards where a failure to authorise later can block the ticket. The most fraudulent travel that could be carried out if the authorisation was done as soon as the machine reached a signal is a single. You could even block returns and day tickets if it failed.

Season tickets I think have the QR codes on them and these can be blacklisted in the ticket portal

 

[Bletchleyite]

Season tickets I think have the QR codes on them and these can be blacklisted in the ticket portal

It'd make sense for Ticketer to implement this as an automatic process. Probably doesn't do it now, but if I were them now they know about this it would be very high up the list.
Also to implement a process that if a given card is repeatedly declined (e.g. 3 declines in a row with no successful transaction in between) to blacklist the card entirely.

 

[zero]

My suspicion re Apple/Google is that the fraudsters are loading up their phones with a stack of dodgy cards and flipping between them much more easily on a phone.

I don't know about Apple but anything slightly out of the ordinary and Google pay stops working. I tried to put my card on my wife's phone which had one of her own cards on, so she could use an offer when I was away, and google asked for a bank statement which we are not going to give them, now it's disabled (we don't generally use Google pay anyway so don't care).

Also separately someone tried two of their own cards registered to different addresses and google wouldn't accept the second card.

The twitter thread linked earlier suggests the merchant has more liability when google/apple pay are used.

 

[Bletchleyite]

I don't know about Apple but anything slightly out of the ordinary and Google pay stops working. I tried to put my card on my wife's phone which had one of her own cards on, so she could use an offer when I was away, and google asked for a bank statement which we are not going to give them, now it's disabled (we don't generally use Google pay anyway so don't care).

No surprise there. You are breaching the terms of your bank account if you let a person other than the one named on a card use it, even if they're family. Google clearly are going to see a red warning if that is done. The correct way to allow another person to use your account is to obtain an "authorised user" card with their name on it.

 

[DelayRepay]

I think it's fine to use them for season tickets with barcodes or on smartcards where a failure to authorise later can block the ticket. The most fraudulent travel that could be carried out if the authorisation was done as soon as the machine reached a signal is a single. You could even block returns and day tickets if it failed.

The issue there is it could result in confrontation between a bus driver and a third party who's purchased the ticket from the fraudster. I think it would be preferable to not issue tickets, rather than issue then try to block them. Season tickets can be sold through mobile apps, smart cards, or online terminals at a bus station. Or do what TFL do, and use capping to negate the need for a season ticket.

I don't know about Apple but anything slightly out of the ordinary and Google pay stops working. I tried to put my card on my wife's phone which had one of her own cards on, so she could use an offer when I was away, and google asked for a bank statement which we are not going to give them, now it's disabled (we don't generally use Google pay anyway so don't care).

Also separately someone tried two of their own cards registered to different addresses and google wouldn't accept the second card.

The twitter thread linked earlier suggests the merchant has more liability when google/apple pay are used.

It might not be Google doing this. The card issuer has to authorise the card being added to the wallet and may well decline it if there's anything about the card or device that's out of the ordinary.

 

[Richardr]

It'd make sense for Ticketer to implement this as an automatic process. Probably doesn't do it now, but if I were them now they know about this it would be very high up the list.
Also to implement a process that if a given card is repeatedly declined (e.g. 3 declines in a row with no successful transaction in between) to blacklist the card entirely.

Isn't the latter standard for the banks? I made a mistake with a Visa card from Barclays (I put my debit card PIN in rather than my Credit Card PIN three times) and the card was blocked.

 

[Bletchleyite]

Isn't the latter standard for the banks? I made a mistake with a Visa card from Barclays (I put my debit card PIN in rather than my Credit Card PIN three times) and the card was blocked.

It is for wrong PINs but not simple transaction declines which might flag for fraud investigation but don't block the card entirely.

 

[Deerfold]

Isn't the latter standard for the banks? I made a mistake with a Visa card from Barclays (I put my debit card PIN in rather than my Credit Card PIN three times) and the card was blocked.

That stops the card being used in person, but doesn't block it - you can still use it online.

 

[zero]

No surprise there. You are breaching the terms of your bank account if you let a person other than the one named on a card use it, even if they're family. Google clearly are going to see a red warning if that is done. The correct way to allow another person to use your account is to obtain an "authorised user" card with their name on it.

It wasn't a bank account, and I actually checked the T&Cs which did not say this was not allowed (sloppily written I guess). I did not say I was surprised. You said that a fraudster would have "a stack of dodgy cards on their phone" and I think that would be difficult to arrange unless they stole a wallet from someone with many cards and got their address too.

 

[DelayRepay]

It wasn't a bank account, and I actually checked the T&Cs which did not say this was not allowed (sloppily written I guess). I did not say I was surprised. You said that a fraudster would have "a stack of dodgy cards on their phone" and I think that would be difficult to arrange unless they stole a wallet from someone with many cards and got their address too.

I agree it's difficult to arrange, but not impossible and some fraudsters will see it as worth their while. I work for a card issuer and one thing I know is that any weakness will be exploited by criminals, however unlikely/difficult it may seem. That's why we have what sometimes appear to be excessive security checks - we don't do it for fun, we do it because we've seen fraud attempts in the past and increased our defences as a result.

Three sources of card details are the compromise of a retailer's systems, corrupt postal workers and shared letterboxes in flats. All involve a varying degree of sophistication but all three are genuine threats which have been exploited in the past.

 

[pepperpot80]

You said that a fraudster would have "a stack of dodgy cards on their phone" and I think that would be difficult to arrange unless they stole a wallet from someone with many cards and got their address too.

This is what is happening, on a fairly significant scale, organised on Telegram and available publicly if you know who to ask / where to look. Impact has been growing exponentially since spring and is ripping through the industry. Ensign have done well to say the quiet part out loud and acknowledge the problem. This puts the onus on the card schemes - Visa and Mastercard - to take a good hard look at the problem and take it seriously.

 

[Bletchleyite]

This is what is happening, on a fairly significant scale, organised on Telegram and available publicly if you know who to ask / where to look. Impact has been growing exponentially since spring and is ripping through the industry. Ensign have done well to say the quiet part out loud and acknowledge the problem. This puts the onus on the card schemes - Visa and Mastercard - to take a good hard look at the problem and take it seriously.

I've already explained how Ticketer could, with software modifications, prevent it, without even doing live authorisations. Simply do an authorisation as soon as the machine gets a signal, and blacklist the ticket barcode if it fails. If the machine has a signal when making the sale, which it will most of the time, do it then. Yes, somebody gets one free single journey, but that's pretty de minimis.

I don't see what Visa/Mastercard really need to do - the risk sharing is quite clear in the merchant agreements, and it's for companies to implement appropriate* measures according to it.

* Selling a £20 product in two taps isn't appropriate, it's a clear breach of the merchant agreement and potentially fraud.

 

[pepperpot80]

Agree with you, certainly, and your proposed solution is perfectly reasonable and appropriate.

The means by which one can manipulate digital wallets, and especially digital-only accounts, however, is out of the merchant's hands, and card issuers and technology providers are loathe to engage. The card networks have the whip hand, and need to use it. Alternatively the bus operators could just disable Apple and Google Pay, rather than go down the £10-per-tap route (which, as you rightly note, would be in breach of the Merchant Agreement).

 

[TTS]

Agree with you, certainly, and your proposed solution is perfectly reasonable and appropriate.

The means by which one can manipulate digital wallets, and especially digital-only accounts, however, is out of the merchant's hands, and card issuers and technology providers are loathe to engage. The card networks have the whip hand, and need to use it. Alternatively the bus operators could just disable Apple and Google Pay, rather than go down the £10-per-tap route (which, as you rightly note, would be in breach of the Merchant Agreement).

With updated info on the origins of this issue, I would concur : it is out of the merchant's (bus operator) hands, and card issuers and technology providers are loathe to engage. The card networks have the whip hand, and need to use it. Disabling Apple and Google Pay for the time being would be a wise move. Ticketer could certainly play a part.

 

[Bletchleyite]

Generally Apple Pay and Google Pay are more secure than cards because you need to unlock the phone to use them (as such they're actually more secure than Chip & PIN, which is why there's generally no upper limit on their use in an authorised transaction). This is an exception, but it's an important reason why disabling them cannot be anything more than a short-term fix while Ticketer catch up with their software.

 

[philthetube]

Couple of things I wonder?

CCTV must be available of ticket purchasers, shouldn't be difficult to identify them.

presumably only one ticket can be purchased per journey, you could hardly rock up to a bus and and bus 6 seasons using different cards?

 

[TTS]

Generally Apple Pay and Google Pay are more secure than cards because you need to unlock the phone to use them (as such they're actually more secure than Chip & PIN, which is why there's generally no upper limit on their use in an authorised transaction). This is an exception, but it's an important reason why disabling them cannot be anything more than a short-term fix while Ticketer catch up with their software.

With (Apple) Express Mode, you can use some of your cards, keys, and passes in Apple Wallet without waking or unlocking your device, or authenticating with Face ID, Touch ID, or your passcode. You might even be able to use your card, pass, or key when your device needs to be charged. .... For transit, you can set one transit card to Express Mode for each transit network. You can also set a payment card that can be used to pay your fare in locations where your Express Transit card isn't accepted. https://support.apple.com/en-us/HT212171

 

[noddingdonkey]

I've already explained how Ticketer could, with software modifications, prevent it, without even doing live authorisations. Simply do an authorisation as soon as the machine gets a signal, and blacklist the ticket barcode if it fails. If the machine has a signal when making the sale, which it will most of the time, do it then. Yes, somebody gets one free single journey, but that's pretty de minimis.

I don't see what Visa/Mastercard really need to do - the risk sharing is quite clear in the merchant agreements, and it's for companies to implement appropriate* measures according to it.

* Selling a £20 product in two taps isn't appropriate, it's a clear breach of the merchant agreement and potentially fraud.

My concern would be that a genuine passenger's card declines, they board the next bus to find that their ticket has been blacklisted. I could imagine some interesting conflicts between drivers and passengers in that situation, with passengers quite reasonably suspecting that in the absence of a receipt showing that their payment was declined there's some kind of rip off going on.

Workarounds might be to only issue higher value tickets as e-tickets on an app (eg as First do - I would imagine the underlying tech might be available off the shelf from Ticketer?) or a scheme where passengers have to register their card number online to authorise it for higher value on-bus purchases, which would at least give the company some means to notify the user that their transaction had failed before blacklisting the card.

 

[Bletchleyite]

My concern would be that a genuine passenger's card declines, they board the next bus to find that their ticket has been blacklisted. I could imagine some interesting conflicts between drivers and passengers in that situation, with passengers quite reasonably suspecting that in the absence of a receipt showing that their payment was declined there's some kind of rip off going on.

Workarounds might be to only issue higher value tickets as e-tickets on an app (eg as First do - I would imagine the underlying tech might be available off the shelf from Ticketer?) or a scheme where passengers have to register their card number online to authorise it for higher value on-bus purchases, which would at least give the company some means to notify the user that their transaction had failed before blacklisting the card.

At the vast majority of locations in urban areas there will be a signal so an authorisation can be done on the spot. This will be therefore a minority of tickets. An explanation could be printed on the ticket itself.

I don't think removing monthlies from the bus would be a terrible thing, they could be on-app, sold from a website that can encode the barcodes or by direct debit with a physical passcard holding a photo being sent out.

 

[SSmith2009]

In Leicester we've had contactless for a good while and higher value tickets are app or website only surely they could move to this?

Think our highest ticket on bus is a now a £23 ZonePlus week ticket

 

[jon0844]

It seems all APCOA car parks now refuse Google Pay/Apple Pay (that means all GTR station car parks).

This is clearly a big issue, and it's a shame that only small snippets of info are being posted to explain the problem and when there might be a resolution.

 

[Bletchleyite]

It seems all APCOA car parks now refuse Google Pay/Apple Pay (that means all GTR station car parks).

This is clearly a big issue, and it's a shame that only small snippets of info are being posted to explain the problem and when there might be a resolution.

This seems a bit strange, as parking payment isn't transit mode, and as such all transactions (even for 1p) must be preauthorised (and are, with most machines it takes ages!)

 

[JaJaWa]

Source?

The first post in this thread

---

They've confirmed on Twitter that they are splitting into £10 transactions because that's the burden that the banks take per transaction

@CL77313
Apple Pay have much higher security than even chip and pin so that makes no sense , and for fraud surely you have cctv evidence and the banks take the financial burden not you ?
3:50 PM · Jul 27, 2022

https://twitter.com/CL77313/status/1552199826653200384

@EnsignBusCo replying to @CL77313
Apple Pay do indeed have excellent security…for the *consumer*!
CCTV has been used in some cases but the sheer scale of the issue and time lapse means it’s not that simple.
UK banks and certain others only cover transactions up to £10 in value.
The scam issue with Apple Pay & Google Pay is a bit more complex and would mean no chance of ever getting any money back
4:57 PM · Jul 27, 2022

https://twitter.com/EnsignBusCo/status/1552216380761571329 & https://twitter.com/EnsignBusCo/status/1552216582050521088

 

[Bletchleyite]

Oh dear, so they are admitting breach of their merchant agreement and potential fraud on Twitter. Digging a bigger hole than the issue there.

They cannot split transactions to gain protection in that way. There's nothing saying you can't split transactions e.g. like the way people might split a restaurant bill, but doing it deliberately to gain greater protection from the banks is itself potentially fraudulent.

If they persist with this they could well find themselves out of business.

 

[jon0844]

This seems a bit strange, as parking payment isn't transit mode, and as such all transactions (even for 1p) must be preauthorised (and are, with most machines it takes ages!)

This is why I'd like to understand more about the problems.

This actually reminds me of the fact that in the last week or two, I was in a shop that actually said they'd imposed a voluntary limit of £10 on Google Pay - and asked if I had my physical card to use chip and pin. Clearly my brain has just clicked now that this was likely linked to this problem - and that was paying for a physical product.

 

[Bletchleyite]

This is why I'd like to understand more about the problems.

This actually reminds me of the fact that in the last week or two, I was in a shop that actually said they'd imposed a voluntary limit of £10 on Google Pay - and asked if I had my physical card to use chip and pin. Clearly my brain has just clicked now that this was likely linked to this problem - and that was paying for a physical product.

It's not unusual for small business owners to totally misunderstand issues and/or the law and end up with silly rules. Indeed, it's more common than not!

This is why I'd like to understand more about the problems.

Indeed. It almost sounds like Google/Apple are authorising transactions then not paying them or somesuch. If that's the case they do indeed need to sort it. If an authorisation is carried out, that is an absolute commitment for the bank to pay the transaction, unless later charged back under a separate process or blocked due to fraud.

 

[TTS]

There is an understandable reluctance to explain the problem since publicising it is very likely to exacerbate it. The root is fraudulent activity that is also affecting much larger organisations than Ensignbus. Steps are thus being urgently taken to address it.

 

[Mojo]

This is clearly a big issue, and it's a shame that only small snippets of info are being posted to explain the problem and when there might be a resolution.

I’m confused as well. I fully understand the £10 thing, but I still struggle to understand the Apple Pay situation.

Is it down to the fact that it is so easy to set up a virtual card, with nothing on it (or 10p or whatever is needed for Ticketer). There’s various Apps like Stocard and Revolut that will let you set up as many virtual cards as you want, top up and withdraw / spend money, and delete them for no reason?