In an alarming opinion, the Advocate General of the European Court of Justice has stated his view that the contactless feature of a credit or debit card is a separate payment instrument in its own right; and that using the card to make low-value contactless payments is "anonymous" and not subject to strong customer authentication (SCA) under the Payment Services Directive (PSD2). In a further twist, the AG suggests that the 'unilateral change' mechanism for amending payment services contracts can only be used for the "non-essential" elements of the contract.

This matters because if the ECJ follows the opinion (which it usually does), it would mean:

  •  non-contactless and contactless card payments would be regulated differently, even when made using the same card (and executing contactless payments might not be regulated at all).
  •  issuers of contactless card would have no legal right to insist on SCA security measures for contactless payments, which currently apply for payments over €50, a limit of five transactions or a total spend of €150;
  • issuers could adjust their systems and contracts to escape liability for unauthorised contactless transactions; and
  • unless customers actively accept changes to their contracts for cards and other payment services, the supply of those services will stop.

I have written a few more detailed articles on this case for the Society for Computers & Law, but have summarised the arguments against the AG's opinion in a series of posts here. This one sets out the facts, explains what a payment instrument is and explains why the contactless feature on a payment card could not be a separate payment instrument in its own right. 

Let me know if you would like to discuss any aspects further.

The Facts

Contactless functionality is added to payment cards using 'near field communication' or 'NFC' technology' embedded in the card and card terminals. 

In this case, when the bank began issuing cards with contactless functionality, it also amended the cardholder contract to avoid liability for unauthorised payments when the cards were used in contactless mode. The new terms said:

  • the bank did not have to prove (and could not prove) that a contactless payment was authorised;
  • it was "technically impossible" for the card to be blocked when used for low-value transactions, even if blocked for other types of transactions; and
  • the bank was not liable for unauthorised contactless payments.

Like all payment service providers, the bank relied on the 'unilateral change' mechanism under PSD2 to introduce these changes to its terms. Customers would be deemed to have accepted the changes unless they notified the bank within two months that changes were not accepted, and terminated the contract.

Both the Austrian trial court and regional appeal court held that the contactless mode is not a payment instrument in its own right, so the bank could not escape liability in this way. However, both parties appealed to the Austrian Supreme Court, which in turn referred the four key issues to the European Court of Justice. The preliminary step in ECJ proceedings is the filing of an Opinion of the Advocate General, with whom the court very often agrees.

The issues arose before the implementation of PSD2, but because the provisions under PSD2 are essentially the same as under the previous directive the ECJ's will determine the position under PSD2 as well.

What is a payment instrument?

The term "payment instrument" is defined in PSD2 as:

"any personalised device and/or set of procedures agreed between the payment service users and the payment service provider and used in order to initiate a payment order".

The ECJ has held that a payment instrument can be either personalised or non-personalised/anonymous.

Is NFC functionality of a payment card a separate payment instrument?

The AG says that a 'multifunctional' payment card features two different payment instruments:

  • a personalised device which requires the use of one or two security elements (strong authentication) and is reserved for payments from a certain value;
  • a set of procedures for making low-value payments without using those security elements, via NFC functionality.

There are many problems with this view. 

Foremost is the fact that the contactless feature cannot be used independently of the card in which it is embedded, and there is only one set of security credentials per card. The user has to wave the card near the contactless technology in a card terminal, yet the NFC component is also configured under industry standards to require entry of a PIN from time to time. In other words, the contactless technology merely creates the potential for choices to be made about whether and when the user must go through the hassle of entering the security credentials related to the card.

Furthermore, a regulatory technical standard under PSD2 mandates the entry of security credentials, unless the issuer of the payment instrument applies any one of 7 exemptions, including those for contactless payments, low value transactions and payments at unattended terminals. Any payment service provider who fails to apply SCA when required will be liable for any resulting unauthorised transaction, and could face enforcement action (now delayed to 30 December in Ireland). 

When using a card for contactless payments, for example, the customer must insert the card in the terminal and enter her SCA credentials either every fifth time she uses it or when a total transaction value of €150 is reached. Certain scenarios may trigger more than one exemption, so the European Banking Authority has said that the limits for the contactless exemption must be calculated on the basis of transactions where that exemption was actually allowed by the issuer. So, for instance, the use of the card to pay £2.50 for parking at an 'unattended terminal' must not count towards your limits under the 'contactless' or 'low-value' exemptions.

It is also important to recognise that contactless use of a payment card still represents the use of the card to "initiate a payment order" and PSD2 therefore requires the resulting transactions to be treated in the same way as other transactions initiated by the card (subject to the 'liability shift' and potential enforcement action related to any failure to use the credentials where the issuer requires).

Finally, if the AG were correct in holding that the contactless element of a payment card constitutes a separate payment instrument distinct from the card, then it would follow that executing the related payment transactions is not a regulated activity because they are not executed "through a payment card"... This would be confusing for PSPs and a very unfortunately outcome for consumers.