Fans of the adage “A hard case makes bad law” will wince as the regulatory and contractual treatment for contactless credit cards and debit cards is at risk owing to the misadventures of a single Austrian bank. I would hope that the industry is alive to the problem and is finding a way to improve the bank’s arguments and save the day.
Alarmingly, the Advocate General of the European Court of Justice has given his opinion on certain questions referred by the Austrian Supreme Court to the effect that:
- The contactless feature of a credit or debit card is a separate payment instrument in its own right.
- Making low-value contactless payments with a multi-functional card means the cardholder is using the card “anonymously” and contactless payments are not subject to the obligation of strong customer authentication (SCA) under the Payment Services Directive (PSD2).
- The issuer of the contactless feature can only use the low-value exclusions from liability for unauthorised transactions in PSD2 if the issuer can show that it is not technically feasible to block the card or prevent further use of the payment instrument if it is lost, stolen, misappropriated or used without authorisation.
- The unilateral change mechanism for amending payment services contracts cannot be used for “the essential elements” of the contract.
I have set out below the facts and my thoughts on each of these issues.
Why is this important?
These issues matter because:
- PSD2 would apply differently to non-contactless and contactless payments even though they were carried out using the same card.
- In addition, payment service providers (PSPs) who issue cards would have no legal right to insist on applying SCA for contactless payments over €50, or after a limit of five separate transactions or a total amount of €150;
- The bank could escape the liability for unauthorised contactless transactions, or those carried out after notification of theft or loss of the card, if contactless functionality is treated as a “payment instrument which, according to the framework contract, solely concerns individual payment transactions not exceeding EUR 30 and:
- is used anonymously or [the bank] is not in a position for other reasons which are intrinsic to the payment instrument to prove that a payment transaction was authorised and/or
- does not allow its blocking or prevention of its further use.”
4. it will become very expensive in time and resources to re-issue contracts to large numbers of customers, many of whom will simply not bother to open and/or reply without significant prompting, and in many cases services would simply cease working unexpectedly to customers’ detriment.
The Facts
Near-field communication (NFC) technology enables the use of a payment card to be used ‘contactlessly’ by waving it near a terminal to initiate the relevant payment transactions, rather than swiping the card or inserting it into the terminal and entering a personal identification number (PIN).
The AG’s opinion refers to technological “formats based mainly on ISO 14443” but it should be noted that the industry actually develops NFC solutions to the EMV specification that began with contact-based Chip and PIN (under ISO/IEC 7816 for contact cards) before adding contactless functionality.
When it began issuing cards with contactless functionality, the bank in this case decided to also amend its customer terms to avoid liability for unauthorised payments when the cards were used in contactless mode. The new terms said:
- the bank did not have to prove (and could not prove) that a contactless payment was authorised;
- it was “technically impossible” for the card to be blocked when used for low-value transactions, even if blocked for other types of transactions; and
- the bank was not liable for unauthorised contactless payments.
Like all payment service providers, the bank relied on the ‘unilateral change’ mechanism under PSD2 to introduce these changes to its terms. Customers would be deemed to have accepted the changes unless they notified the bank within two months that changes were not accepted, and terminated the contract.
Both the Austrian trial court and regional appeal court held that the contactless mode is not a payment instrument in its own right so the bank could not escape liability in this way. However, both parties appealed to the Austrian Supreme Court, which in turn referred the four key issues to the European Court of Justice. The preliminary step in ECJ proceedings is the filing of an Opinion of the Advocate General, with whom the court very often agrees.
The issues arose before the implementation of PSD2 but because the provisions under PSD2 are essentially the same as under the previous directive the ECJ’s will determine the position under PSD2 as well.
What is a payment instrument?
The term “payment instrument” is defined in PSD2 as:
“any personalised device and/or set of procedures agreed between the payment service users and the payment service provider and used in order to initiate a payment order”.
While EU member states are split on whether or not the word “personalised” applies to both “device” and “set of procedures”, the ECJ held in the T-Mobile Austria case that payment instruments may be either:
– personalised, which is to say that they allow the payment service provider to verify that the payment order was initiated by a user authorised to do so; or
– anonymous or non-personalised, in which case the payment service providers are not required to prove that the transaction in question was authenticated.
Indeed, this interpretation allows for ‘virtual cards’ where no physical plastic device is created yet they are still personalised.
Is NFC functionality of a payment card a separate payment instrument?
The AG says that a ‘multifunctional’ payment card features two different payment instruments:
- a personalised device which requires the use of one or two security elements (strong authentication) and is reserved for payments from a certain value
- a set of procedures for making low-value payments without using those security elements via NFC functionality.
The first Austrian court held that the contactless feature was not to be viewed as a distinct low-value payment instrument because the same card could be used to make other payments. The regional appeal court held that the contactless functionality just creates a separate processing category, like mail-order telephone order (MOTO), but for low-value purchases; and it is personalised by virtue of being protected by the need for a PIN to be entered from time to time. The Czech government submitted that contactless functionality is merely one of the ways the card can be used.
The lower courts must be right.
On the facts, even if the contactless functionality were construed as a payment instrument in its own right, as the AG suggests, the bank would still fail because, according to the bank’s framework contract, the payment instrument does not “solely concern individual payment transactions not exceeding EUR 30.” The contract provided that the cards can be used for higher value payments requiring the entry of a PIN; and the clauses relevant to low-value transactions use language such as “when the debit card is used to make low-value payments without entering a PIN” and “any risk of misuse of the payment card for low-value payments not requiring a PIN” and “the debit card cannot be blocked for low value payments made without entering a PIN.”
In reality, the NFC feature cannot be used independently of the card it resides upon: the user has to wave the card near an NFC-enabled terminal, and the NFC feature is technically configured under the industry (non-regulatory) standards so that the security credentials must be entered from time to time.
Even the highlighted language in the AG’s opinion demonstrates that the card and the NFC feature must constitute the same payment instrument. The NFC feature merely creates the potential for choices to be made about whether and when the user must enter the security credentials related to the card.
Furthermore, it is a legal requirement under the regulatory technical standard that requires strong customer authentication (SCA) that the security credentials must be applied, unless the issuer of the payment instrument/account to which the security credentials relate applies any of the following exemptions:
- Low-value transactions: up to €30 per transaction (limit of five separate transactions or €100);
- Recurring transactions: e.g. subscriptions for the same amount and payee (SCA applied to the first transaction);
- Whitelisted: payers can add payees to a whitelist of trusted beneficiaries with the issuer, but payees can’t request this;
- Corporate payment processes: dedicated process for non-consumers, approved by the regulator (member states may exclude micro-enterprises as consumers);
- Contactless: up to €50 (limit of five separate transactions or €150 without an SCA check)
- Unattended terminals: only for paying transport fares or parking fees;
- Low-risk of fraud: as determined by the issuer, depending on its average fraud levels for the relevant acquirer (not by merchant/channel), with different limit for cards and credit transfers.
It would also be wrong, therefore, to conclude (as the AG has) that contactless payments are themselves “not subject to the obligation of strong customer authentication”. The regulatory SCA standard requires that the customer must be challenged to provide her security credentials either every fifth time she uses it or when a total transaction value of €150 is reached. This will result in the attempted contactless use being prevented, and an invitation to insert the card in the relevant terminal into which the credentials can be entered.
Certain scenarios may trigger the application of more than one exemption, so the European Banking Authority has said that the limit of five transactions needs to be calculated not on the basis of all transactions where the exemption could have been applied, but on the basis of transactions where the particular exemption was applied. So the use of the card to pay £2.50 at an unattended parking machine should not count towards your five contactless or low-value transactions.
Both the industry and regulatory standards proceed on the basis that there is only one set of credentials issued per card (it’s hard enough for consumers to remember one PIN etc per card, let alone multiple PINs for different uses of the card!). Neither the industry EMV standard nor the regulatory SCA standard dictates distinct security credentials for different uses of the card.
Just as the industry standard that requires the entry of the PIN from time to time, the regulatory standard merely provides that an issuer may allow the use of the card without those credentials in seven scenarios, the contactless scenario being one. It would make no sense to consider the SCA requirements in the context of the contactless feature on its own, and it is worth noting that the Advocate General does not contend that the use of a payment card in each of the other scenarios benefiting from an exemption from SCA also constitutes a “payment instrument” in its own right.
The Advocate General also believes that making the contactless feature a distinct payment instrument is also justified by the need for users of NFC-enabled cards to receive “enhanced protection” and to promote fair and transparent competition between the issuers of such cards. However, PSD2 already addresses these points insofar as any payment service provider who fails to apply SCA (unless the issuer has applied an exemption) will be liable for any resulting unauthorised transaction, and could face enforcement action (now delayed to 14 September 2021)).
It is also important to recognise that contactless use of a payment card still represents the use of the card to “initiate a payment order” and PSD2 therefore requires the resulting transactions to be treated in the same way as other transactions initiated by the card (subject to the ‘liability shift’ and potential enforcement action related to any failure to use the credentials where the issuer requires). This is consistent with recital 68:
The use of a card or card-based payment instrument for making a payment often triggers the generation of a message confirming availability of funds and two resulting payment transactions. The first transaction takes place between the issuer and the merchant’s account servicing payment service provider, while the second, usually a direct debit, takes place between the payer’s account servicing payment service provider and the issuer. Both transactions should be treated in the same way as any other equivalent transactions.
This is also consistent with the need for ‘technological neutrality’, which the Advocate General has ironically said somehow requires the separate treatment of the contactless feature. The fact that a debit card and credit card can also reside on the same multi-functional card does not alter the fact that the card itself is still the single payment instrument in each use-case, with the one set of security credentials.
Finally, the terms “card” and “card-based payment instrument” are used interchangeably in the recitals to PSD2, while the term “card-based” is generally used in the operative provisions and refers to any payment instrument/transaction involving a payment card. The only exception is that the expression “execution of payment transactions through a payment card or a similar device” is included among the activities that constitute a regulated “payment service”. So, if the AG were correct in holding that the contactless element of a payment card constitutes a separate payment instrument distinct from the card, then it would follow that executing the related payment transactions is not a regulated activity because they are not executed “through a payment card”… This would be confusing for PSPs and a very unfortunately outcome for consumers.
In Part II, Simon looks at whether a contactless payment is anonymous and whether the days of the unilateral change clauses are coming to an end. Read it here
This article has been adapted from a series of posts originally published on Simon’s blog, The Fine Print.
Simon Deane-Johns, Consultant Solicitor, Keystone Law and Chair of the SCL Advisory Board