The new rules for payment authorization are introduced by Commission Delegated Regulation (EU) 2018/389 of 27th of November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication, which will come into force as soon as September 14, 2019. The regulation is an executive act in relation to the PSD2 Directive, thus specifying its provisions.
For the sake of simplicity, the general rule regarding card payments at the payment terminal is that you need something to authorize the transaction: (i) only possessed by the payer (card) and (ii) only known by the payer (PIN code). An exception to this rule was introduced for contactless payments, which due to small payment limits have lower risk of fraud. In Poland, the amount of contactless payments currently amounts to PLN 50, but in the near future is to be increased to PLN 100 per transaction, as we have recently written here and here.
From September 14, 2019, contactless payments with a PIN may be accepted if:
(I) the cumulative amount of previous contactless electronic payment transactions initiated by means of a payment instrument with a contactless functionality from the date of the last application of strong customer authentication does not exceed EUR 150; or
(II) the number of consecutive contactless electronic payment transactions initiated via the payment instrument offering a contactless functionality since the last application of strong customer authentication does not exceed five.
In other words - from September 14, 2019, at least every fifth contactless transaction will require entering the PIN code from the cardholder.