Search This Blog

Wednesday, 13 May 2020

Is The Contactless Payment Function In a Payment Card a Separate Payment Instrument? Yes! [Updated]

This is the second in a series of posts about a case referred to the European Court of Justice that raises some awkward issues under PSD2. The initial post sets out the four issues on which the Advocate General has expressed his opinion, and the facts in the case. This post addresses the AG's opinion on the first question, namely that the contactless feature of a credit or debit card is a separate payment instrument in its own right, contrary to two previous judgments in the Austrian courts.

This matters, because PSD2 would apply differently to contactless payments if they were carried out using a separate payment instrument, rather than as just another card payment.

[Update, Spoiler alert 17.11.20: the ECJ has agreed with the AG! See end of this post] 
 
Let me know if I can help you with any of these issues.

What is a payment instrument?

A "payment instrument" is defined in PSD2 as:
"any personalised device and/or set of procedures agreed between the payment service users and the payment service provider and used in order to initiate a payment order".
The Advocate General cites extensive debate on whether or not the word "personalised" applies to both "device" and "set of procedures", since EU countries are split in how they have transposed the definition in their national laws implementing PSD2. One group of member states (France, Spain etc) did not apply "personalised" to "set of procedures". The Germans applied "personalised" expressly to both "device" and "set of procedures" and the rest (the Netherlands, UK etc) copied the definition as set out in the directive, leaving the issue open. In any event, the Advocate General has said that "it must be agreed that the definition... allows for personalised and depersonalised or anonymous varieties" of payment instruments, citing the ECJ's judgment in the T-Mobile Austria case that payment instruments may be either:
  • personalised, which is to say that they allow the payment service provider to verify that the payment order was initiated by a user authorised to do so; or
  • anonymous or non-personalised, in which case the payment service providers are not required to prove that the transaction in question was authenticated.
My own view is that T-Mobile Austria is correct (though it's important not to get too caught up in the difference between "anonymous" and "non-personalised"). Indeed, this interpretation allows for 'virtual cards' where no physical plastic is created yet they are still personalised, while the French/Spanish interpetation could mean virtual cards are not payment instruments in those countries!

But in my view this distinction should be irrelevant in the present case, since the contactless use of an NFC-enabled payment card is neither "anonymous" nor "non-personalised", as I'll explain in my next post on the second issue being referred to the ECJ. However, the Advocate General clearly relies quite heavily on the scope for non-personalised payment instruments in his view that the contactless feature is a payment instrument in its own right.

Is NFC functionality of a payment card a separate payment instrument? 

It seems unnecessary to get into all of the technical detail of how near-field communication (NFC) or the other technology enables the use of a payment card to be used 'contactlessly' by waving it near a terminal to initiate the relevant payment transactions, rather than swiping the card or inserting it into the terminal and entering a personal identification number (PIN). The AG's opinion refers to technological "formats based mainly on ISO 14443", but it should be noted that the industry actually develops NFC solutions to the EMV specification that began with contact-based Chip and PIN (under ISO/IEC 7816 for contact cards) and contactless functionality [note, you must agree EMVCo's terms to access the spec]. I think that's an important sign-post to the many stakeholders and systems potentially impacted by the case in point.

The first Austrian court held that the contactless feature was not to be viewed as a distinct low-value payment instrument, because the same card could be used to make other payments. The regional appeal court held that the contactless functionality just creates a separate processing category, like mail-order telephone order (MOTO), but for low-value purchases; and it is personalised by virtue of being protected by the need for a PIN to be entered from time to time.

However, the Advocate General has said that a 'multifunctional' payment card features two different payment instruments:
  • a personalised device which requires the use of one or two security elements (strong authentication) and is reserved for payments from a certain value
  • a set of procedures for making low-value payments without using those security elements, via NFC functionality.
In reality the NFC feature cannot be used independently of the card it resides upon - the user has to wave the card near an NFC-enabled terminal. In addition, the NFC feature is technically configured under the industry (non-regulatory) standards so that the security credentials (PIN) must be entered from time to time. Therefore, the highlighted language shows the card and the NFC feature must constitute the same payment instrument, with the NFC feature merely creating the potential for choices to be made about whether and when the user must enter the security credentials related to the card.

Furthermore, it is a legal requirement under the regulatory technical standard that requires strong customer authentication (SCA) that the security credentials must be applied, unless the issuer of the payment instrument/account to which the security credentials relate applies any of the following exemptions:
    Low-value transactions: up to €30 per transaction (limit of five separate transactions or €100);
    Recurring transactions: e.g. subscriptions for the same amount and payee (SCA applied to the first transaction);
    Whitelisted: payers can add payees to a whitelist of trusted beneficiaries with the issuer, but payees can't request this;
    Corporate payment processes: dedicated process for non-consumers, approved by the regulator (member states may exclude micro-enterprises as consumers);
    Contactless: up to €50 (limit of five separate transactions or €150 without an SCA check);
    Unattended terminals: only for paying transport fares or parking fees;
    Low-risk of fraud: as determined by the issuer, depending on its average fraud levels for the relevant acquirer (not by merchant/channel), with different limit for cards and credit transfers.
Importantly, the European Banking Authority has said that the limit of five transactions needs to be calculated not on the basis of all transactions where the exemption could have been applied, but on the basis of transactions where the particular exemption was applied. This reflects the fact that certain scenarios may trigger the application of more than one exemption. So the use of the card to pay £2.50 at an unattended parking machine should not count towards your five contactless or low-value transactions.

Therefore, the regulatory SCA requirement cannot be seen as determinative of what amounts to a payment instrument. It merely dictates that an issuer may allow the use of the card without those credentials in seven scenarios, the contactless scenario being one.

It is worth noting that the Advocate General does not contend that the use of a payment card in each of the other scenarios benefiting from an exemption from SCA also constitutes a "payment instrument" in its own right.

In any case, there is only one set of credentials issued per card (it's hard enough for consumers to remember one PIN etc per card, let alone multiple PINs for different uses of the card!). Neither the industry EMV standard nor the regulatory SCA standard dictates distinct security credentials for different uses of the card.

It is also wrong, therefore, to conclude (as the Advocate General has) that contactless payments are themselves "not subject to the obligation of strong cusotmer authentication". The regulatory SCA standard requires that the customer must be challenged to provide her security credentials either every fifth time she uses it or when a total transaction value of €150 is reached. This will result in the attempted contactless use being prevented, and an invitation to insert the card in the relevant terminal into which the credentials can be entered.

The Advocate General also believes that making the contactless feature a distinct payment instrument is also justified by the need for users of NFC-enabled cards to receive "enhanced protection" and to promote fair and transparent competition between the issuers of such cards. However, PSD2 already addresses these points insofar as any payment service provider who fails to apply SCA (unless the issuer has applied an exemption) will be liable for any resulting unauthorised transaction, and could face enforcement action (now delayed to 14 September 2021))

The Portuguese and Czech governments also made submissions in the latest appeal to the effect that the contactless feature of a payment card is not a distinct payment instrument ("any personalised device and/or set of procedures agreed between the payment service users and the payment service provider and used in order to initiate a payment order"). The Portuguese pointed out that not even cards themselves are mentioned in the definiton of payment instrument, yet are specifically mentioned elsewhere in PSD2 as ways of initiating payment transactions. The Czechs said the contactless functionality is merely one of the ways the card can be used.

I would go further by focusing on the fact that contactless use of a payment card does not alter the effect of using the card to "initate a payment order". Recital 68 of PSD2 explains:
The use of a card or card-based payment instrument for making a payment often triggers the generation of a message confirming availability of funds and two resulting payment transactions. The first transaction takes place between the issuer and the merchant’s account servicing payment service provider, while the second, usually a direct debit, takes place between the payer’s account servicing payment service provider and the issuer. Both transactions should be treated in the same way as any other equivalent transactions.
It is clear from the balance of the Recital 68 that if the same payment transactions flow from the use of the card with or without the security credentials, then they are to be treated the same (subject to the 'liability shift' and potential enforcement action related to any failure to use the credentials where the issuer requires). Indeed, this is also consistent with the need for 'technological neutrality', which the Advocate General has ironically said somehow requires the separate treatment of the contactless feature. The fact that a debit card and credit card can also reside on the same multi-functional card does not alter the fact that the card itself is still the single payment instrument in each use-case, with the one set of security credentials.

Nothing turns on the use of both the terms "card" and "card-based payment instrument". These are used interchangeably in the recitals to PSD2. In the main text of PSD2, the term "card-based" is generally used to refer to any payment instrument/transaction involving a payment card. The only exception is that the expression "execution of payment transactions through a payment card or a similar device" is included among the activities that constitute the "Execution of a payment transaction" which is are two types of regulated "payment service" (depending on whether credit is also involved).  So, if the Adocate General were correct in holding that the contactless element of a payment card constitutes a separate payment instrument distinct from the card, then it would follow that executing the related payment transactions is not a regulated activity because they are not executed "through a payment card"...

In the next post, I will address the Advocate General's view that making low-value contactless payments with a multifunctional card means the cardholder is using the card "anonymously" (which would mean contactless payments are not subject to the obligation of strong customer authentication in the relevant PSD2 regulatory technical standard mentioned above.

Post script 17.11.20:
 
The ECJ has agreed with the AG:

"...the NFC functionality of a personalised multifunctional bank card, by means of which low-value payments are debited from the associated bank account, constitutes a ‘payment instrument’, as defined in that provision."
 
Again, this suggests that the ensuing payment transaction is not "through a payment card or similar device" and NFC payment transactions are not 'card-based'. This calls into question how the execution of NFC payment transactions is regulated.


No comments:

Post a Comment