This is the third and final post on a recent alarming opinion from the Advocate General of the European Court of Justice.  The facts of the case are set out in the first post. Here we explore whether contactless payment card payments are anonymous, and cannot be blocked. This matters because, if that were the case, then card issuers could escape liability for unauthorised use of your contactless cards for low value payments. Not great for consumers, or their confidence in using contactless cards.

These issues arise because the second Payment Services Directive (PSD2) allows a card issuer to escape liability for unauthorised contactless transactions, or those carried out after notification of theft or loss of the card, if the contactless functionality is treated as: 

a "payment instrument which, according to the framework contract, solely concerns individual payment transactions not exceeding EUR 30 and:

  • is used anonymously or [the issuer] is not in a position for other reasons which are intrinsic to the payment instrument to prove that a payment transaction was authorised; and/or
  • does not allow its blocking or prevention of its further use."

Are Contactless Card Payments Anonymous?

The Advocate General considers that contactless payments using the contactless functionality on a debit or credit card are "depersonalised" and "anonymous" because the communication between the contactless functionality and the terminal "is sufficient to validate the transaction, irrespective of who is in possession of the card at the time, and dispenses with the need for the cardholder to enter his PIN or provide a handwritten signature."

There are numerous problems with this view.

The AG draws support from analysis in the reports from the European Central Bank and the Euro Retail Payments Board on the development of the ability to have separate contact and contactless devices/procedures, and contactless acceptance.  But I do not read anything in either report to support the conclusion that contactless functionality is necessarily a separate payment instrument or anonymous, especially when embedded in a debit or credit card.

A payment card could be used by a third party (with or without authorisation) in either contact mode or contactless mode. Indeed, payment cards were notorious for high rates of fraud long before the introduction of contactless functionality. This explains the industry's decision to introduce the Chip-and-PIN security measure (over a decade before the statutory requirement for strong customer authentication (SCA) discussed in the first post). 

The report from the Euro Retail Payments Board referred to by the AG also explains that adoption rates of Chip-and-PIN cards were still quite low even by 2015, and the ability for them to be used contactlessly was a key driver to improve adoption rates of Chip-and-PIN cards by making it quicker and more convenient to use them for lower value transactions (subject to the industry requirement to enter the PIN from time to time as a guard against unauthorised use). The contactless functionality merely creates the potential for choices to be made about whether and when the user must enter the PIN related to the card. The fraudster takes the risk of being detected if he does not have the PIN.

It is therefore odd to say that contactless functionality added to a card to improve its utility is somehow independent of the card, and that the requirement to be able, if and when challenged, to enter the Personal Identification Number set by the cardholder (who must keep it secret) somehow renders the contactless use of the card "depersonalised" and "anonymous". 

Furthermore, as explained in the first post, it has since become a legal requirement that 'strong customer authentication' (SCA) that the security credentials for the card (which do not vary for contact or contactless use) must be applied, unless the issuer of the payment instrument/account to which the security credentials relate applies any of seven exemptions. [Note that the Central Bank of Ireland has said it will not taken enforcement action on the SCA requirement for e-commerce transactions until 31 December 2020.]

In addition, under anti-money laundering regulation, card issuers must also carry out "customer due diligence" on their cardholders, including identify verification and transaction monitoring, before providing them with cards and other payment services. So, the card issuer knows who the cardholder is.

The entry of the PIN and the lack of a report by the cardholder that the card has been stolen should also make it probable that the cardholder made the contactless transactions since the previous entry of the PIN. This means that the requirement to enter the PIN from time to time is also an important factor in determining the validity of contactless transactions, not to mention the customer identity verification and monitoring obligations that sit behind the issuance of the card/account and PIN.

The AG also relied on the fact that the bank in this case delivered the cards with the contactless functionality automatically enabled so that cardholders might be unaware the functionality existed. Ironically, I would regard this as evidence that the bank saw the contactless functionality as an inherent property of the card itself, not distinct (let alone anonymous!), and it could not then pretend that it was somehow separate. Again, the bank still also knew the identity of the cardholder.

Can Contactless Cards Be Blocked?

The bank also stated in its card terms that: 

"it is technically impossible for the debit card to be blocked when used for low-value transactions... and [, if lost etc. ]"it shall still be open to use for low value payments not requiring a PIN up to a value of EUR 75, even after a block has been placed on the card [for higher value transactions]... [So ] payments may not exceed EUR 25 per individual transaction and the debit card cannot be blocked for low-value payments made without entering a PIN..."

As the AG noted, even the bank admitted at trial that it could block a multifunctional payment card; and evidence was accepted that "almost all Austrian banks" provide in their terms that "after a blocking notification, the card's [contactless] functionality is required to be and is... blocked." 

"Blocked" would be a reference to the card number being blacklisted (on a MATCH list), or placed in a 'hotlist' or 'blocklist' for a specific merchant, as well as the industry and regulatory requirements for the entry of security credentials (PIN etc] explained above. 

This in turn implies that blocking the contactless functionality is done within the scope of blocking the card itself and this prevents further contactless or other use. 

Accordingly, the bank's terms in this case are simply wrong in stating that "it is technically impossible" to block the contactless payments, and the requirements for the exclusion are not satisfied.

It would also be true to say that the contactless use of the card can be blocked by virtue of the cardholder being unable to enter the PIN when challenged. 

The legal requirement for the liability exclusion to apply is that the payment instrument does not allow its blocking or prevention of its further use. Therefore it does not matter that one or more unauthorised payment transactions might go through before the card is reported missing or a thief fails to enter the PIN when challenged.

In my view, the AG's acceptance of the facts and reasoning on this point also runs contrary to the conclusion (covered in the first post) that the contactless functionality could be a separate payment instrument in its own right, since the blocking procedures for the card encompass the contactless functionality.

Of course, under Irish law, the incorrect statements in the bank's terms would also raise issues under the law of misrepresentation or mistake, for example, which can affect the formation, existence and enforceability of the contract (or at least the offending provisions) in the first place.