Search This Blog

Sunday, 17 May 2020

Are [Low Value] Contactless Card Payments "Anonymous"? Yes! [Updated]

This is the third post in a series about some awkward issues under PSD2 that were recently referred to the European Court of Justice. The initial post sets out the four issues referred and the facts. The second post addresses the Avocate General's opinion that the contactless feature of a credit or debit card is a separate payment instrument in its own right. Here, I comment on the AG's view that making contactless payments with a debit or credit payment card means the cardholder is using the card "anonymously". Again, this is contrary to two previous judgments in the Austrian courts. 
 
[Update, spoiler alert 17.11.20: the ECJ agreed with the AG! See end of this post]

This matters, because PSD2 would apply differently to contactless payments if they were carried out using a separate payment instrument, rather than as just another card payment. In addition, payment service providers could escape certain liability for anonymous transactions (which the bank in this case sought to do) and contactless payments would (strangely) not be subject to the obligation of strong customer authentication in the relevant PSD2 regulatory technical standard. Specifically, the bank could escape the liability if contactless functionality is treated separately as a "payment instrument which, according to the framework contract, solely concerns individual payment transactions not exceeding EUR 30... if the payment instrument is used anonymously or [the bank] is not in a position for other reasons which are intrinsic to the payment instrument to prove that a payment transaction was authorised.

In this case, the bank stated in its card terms (the "framework contract") that it "shall not have to prove" and it "is unable to prove" that low value transactions were authorised and not defective.

The Austrian regional appeal court held that the contactless functionality on a multifunctional payment card just creates a separate processing category, like mail-order telephone order (MOTO), but for low-value purchases; and the contactless functionality is personalised by virtue of being protected by the need for a PIN to be entered from time to time. 

The Advocate General considers that contactless payments using the contactless functionality on a debit or credit card are "depersonalised" and "anonymous" because the communication between the contactless functionality and the terminal "is sufficient to validate the transaction, irrespective of who is in possession of the card at the time, and dispenses with the need for the cardholder to enter his PIN or provide a handwritten signature." 

There are numerous problems with this view.  

The AG cites analysis from the European Central Bank and the Euro Retail Payments Board. But I do not read anything in either report on the development of contactless acceptance, and the ability to have separate contact and contactless devices/procedures to support the conclusion either that where the same card can operate in both modes they are separate, or that the contactless mode is depersonalised or anonymous. 

A payment card might be used by a third party (with or without authorisation) in either contact mode or contactless mode. Payment cards were notorious for high rates of fraud long before the introduction of contactless functionality. That in itself explains the industry's decision to introduce the Chip-and-PIN security measure over a decade before the statutory requirement for strong customer authentication in the relevant PSD2 regulatory technical standard. Indeed the report from the Euro Retail Payments Board referred to by the AG explains that adoption rates were still quite low even by 2015, and the ability for Chip-and-PIN cards to be used contactlessly was a key driver to improve adoption rates of Chip-and-PIN cards by making it quicker and more convenient to use them for lower value transactions, subject to the industry requirement to enter the PIN from time to time as a guard against unauthorised use. The contactless functionality merely creates the potential for choices to be made about whether and when the user must enter the PIN related to the card. The fraudster takes the risk of being detected if he does not have the PIN.

It is therefore odd to say that contactless functionality added to a card to improve its utility is somehow independent of the card, and that the requirement to be able, if and when challenged, to enter the Personal Identification Number set by the cardholder (who must keep it secret) somehow renders the contactless use of the card "depersonalised" and "anonymous". Card issuers must also carry out "customer due diligence" on their cardholders, including identify verification and transaction monitoring.

The entry of the PIN and the lack of a report by the cardholder that the card has been stolen should also make it probable that the cardholder made the contactless transactions since the previous entry of the PIN. This means that the requirement to enter the PIN from time to time is also an important factor in determining the validity of contactless transactions, not to mention the customer identity verification and monitoring obligations that sit behind the issuance of the card/account and PIN. 

The AG also relied on the fact that the bank in this case delivered the cards with the contactless functionality automatically enabled so that cardholders might be unaware the functionality existed. Ironically, I would regard this as confirmation that the contactless functionality does not constitute a distinct payment instrument (let alone an anonymous one), and that this is a good basis for saying the bank could not then pretend that the feature was at all distinct. It is clear that, for practical purposes, the bank saw the contactless functionality as an inherent property of the card itself, not distinct.

Furthermore, it is a legal requirement under the regulatory technical standard that requires strong customer authentication (SCA) for cards used for remote or electronic payment transactions that the security credentials for the card (which do not vary for contact or contactless use) must be applied, unless the issuer of the payment instrument/account to which the security credentials relate applies any of the following exemptions:
    Low-value transactions: up to €30 per transaction (limit of five separate transactions or €100);
    Recurring transactions: e.g. subscriptions for the same amount and payee (SCA applied to the first transaction);
    Whitelisted: payers can add payees to a whitelist of trusted beneficiaries with the issuer, but payees can't request this;
    Corporate payment processes: dedicated process for non-consumers, approved by the regulator (member states may exclude micro-enterprises as consumers);
    Contactless: up to €50 (limit of five separate transactions or €150 without an SCA check);
    Unattended terminals: only for paying transport fares or parking fees;
    Low-risk of fraud: as determined by the issuer, depending on its average fraud levels for the relevant acquirer (not by merchant/channel), with different limit for cards and credit transfers.
Importantly, the European Banking Authority has said that the limit of five transactions needs to be calculated not on the basis of all transactions where the exemption could have been applied, but on the basis of transactions where the particular exemption was applied. This reflects the fact that certain scenarios may trigger the application of more than one exemption. So the use of the card to pay £2.50 at an unattended parking machine should not count towards your five contactless or low-value transactions.

Therefore, the regulatory SCA requirement introduces a significant regulatory challenge to the 'anonymous' use of a card's contactless functionality. It merely dictates that an issuer may allow the use of the card without the security credentials in seven scenarios, the contactless scenario being merely one.
 
It would make no sense to consider the SCA requirements in the context of the contactless feature on its own, and it is worth noting that the Advocate General does not contend that the use of a payment card in each of the other scenarios benefiting from an exemption from SCA also constitutes a separate "payment instrument" in its own right.

It would also be wrong, however, to conclude (as the Advocate General has) that contactless payments would not themselves "not subject to the obligation of strong customer authentication". The regulatory SCA standard requires that the customer's contactless use must be challenged by the requirement to provide her security credentials, either every fifth time she uses it or when a total transaction value of €150 is reached. This will result in the attempted contactless use being prevented, and an invitation to insert the card in the relevant terminal into which the credentials can be entered.

My next post will address the Advocate General's view on the third issue raised in proceedings - in effect that it is not technically feasible for an issuer to block the contactless use of a payment card or prevent further use of the payment instrument if it is lost, stolen, misappropriated or used without authorisation. 

Post Script 17.11.20

The ECJ has agreed with the AG:

"...the use of the NFC functionality for the purpose of making low-value payments constitutes ‘anonymous’ use, within the meaning of Article 63(1)(b) of [PSD2], even where the card equipped with that functionality is associated with the bank account of a particular customer. In such a situation, the payment service provider is objectively unable to identify the person who paid using that functionality and thus unable to verify, or even prove, that the transaction was duly authorised by the account holder... 

...a contactless low-value payment using the NFC functionality of a personalised multifunctional bank card constitutes ‘anonymous’ use of the payment instrument in question, within the meaning of that derogation provision. 

Yet this is not only inconsistent the facts, in my view, but also with the ECJ's own finding in relation to the question of whether the instrument allows blocking or prevention of further use in Article 63(1)(a), where the ECJ held the bank bears the onus of proof in order to rely on the derogation. While in that respect the bank was not allowed to merely assert in the contract that it is impossible to block the payment instrument concerned or to prevent its continued use, where, in the light of the objective state of available technical knowledge, that impossibility cannot be established; here the ECJ has done that job for the bank!

Where this leaves the use of SCA in relation to NFC payment transactions is unclear, but banks and other payment servicer providers who issue NFC functionality may agree with customers that:

  • the provider need not prove the authentication and execution of payment transactions;
  • the service provider is not liable for unauthorised payment transactions; and
  • the payer loses the cap of EUR 50 on losses resulting from such transactions, after notification to the provider of the loss, theft or misappropriation of the payment instrument.


No comments:

Post a Comment