In the first of a two part article, Simon Deane-Johns looks at some surprising consequences (if followed) of the Advocate General’s opinion on contactless payments in Denizbank. In Part 1, he sets out the facts and why the outcome will be so important. Part 2 will look at the questions of whether contactless payments are anonymous.
Fans of the adage "A hard case makes bad law" will wince as the regulatory and contractual treatment for contactless credit cards and debit cards is at risk owing to the misadventures of a single Austrian bank. I would hope that the industry is alive to the problem and is finding a way to improve the bank's arguments and save the day.
Alarmingly, the Advocate General of the European Court of Justice has given his opinion on certain questions referred by the Austrian Supreme Court to the effect that:
I have set out below the facts and my thoughts on each of these issues.
Why is this important?
These issues matter because:
4. it will become very expensive in time and resources to re-issue contracts to large numbers of customers, many of whom will simply not bother to open and/or reply without significant prompting, and in many cases services would simply cease working unexpectedly to customers’ detriment.
Near-field communication (NFC) technology enables the use of a payment card to be used 'contactlessly' by waving it near a terminal to initiate the relevant payment transactions, rather than swiping the card or inserting it into the terminal and entering a personal identification number (PIN).
The AG's opinion refers to technological "formats based mainly on ISO 14443" but it should be noted that the industry actually develops NFC solutions to the EMV specification that began with contact-based Chip and PIN (under ISO/IEC 7816 for contact cards) before adding contactless functionality.
When it began issuing cards with contactless functionality, the bank in this case decided to also amend its customer terms to avoid liability for unauthorised payments when the cards were used in contactless mode. The new terms said:
Like all payment service providers, the bank relied on the 'unilateral change' mechanism under PSD2 to introduce these changes to its terms. Customers would be deemed to have accepted the changes unless they notified the bank within two months that changes were not accepted, and terminated the contract.
Both the Austrian trial court and regional appeal court held that the contactless mode is not a payment instrument in its own right so the bank could not escape liability in this way. However, both parties appealed to the Austrian Supreme Court, which in turn referred the four key issues to the European Court of Justice. The preliminary step in ECJ proceedings is the filing of an Opinion of the Advocate General, with whom the court very often agrees.
The issues arose before the implementation of PSD2 but because the provisions under PSD2 are essentially the same as under the previous directive the ECJ's will determine the position under PSD2 as well.
What is a payment instrument?
The term "payment instrument" is defined in PSD2 as:
"any personalised device and/or set of procedures agreed between the payment service users and the payment service provider and used in order to initiate a payment order".
While EU member states are split on whether or not the word "personalised" applies to both "device" and "set of procedures", the ECJ held in the T-Mobile Austria case that payment instruments may be either:
- personalised, which is to say that they allow the payment service provider to verify that the payment order was initiated by a user authorised to do so; or
- anonymous or non-personalised, in which case the payment service providers are not required to prove that the transaction in question was authenticated.
Indeed, this interpretation allows for 'virtual cards' where no physical plastic device is created yet they are still personalised.
Is NFC functionality of a payment card a separate payment instrument?
The AG says that a 'multifunctional' payment card features two different payment instruments:
The first Austrian court held that the contactless feature was not to be viewed as a distinct low-value payment instrument because the same card could be used to make other payments. The regional appeal court held that the contactless functionality just creates a separate processing category, like mail-order telephone order (MOTO), but for low-value purchases; and it is personalised by virtue of being protected by the need for a PIN to be entered from time to time. The Czech government submitted that contactless functionality is merely one of the ways the card can be used.
The lower courts must be right.
On the facts, even if the contactless functionality were construed as a payment instrument in its own right, as the AG suggests, the bank would still fail because, according to the bank's framework contract, the payment instrument does not "solely concern individual payment transactions not exceeding EUR 30." The contract provided that the cards can be used for higher value payments requiring the entry of a PIN; and the clauses relevant to low-value transactions use language such as "when the debit card is used to make low-value payments without entering a PIN" and "any risk of misuse of the payment card for low-value payments not requiring a PIN" and "the debit card cannot be blocked for low value payments made without entering a PIN."
In reality, the NFC feature cannot be used independently of the card it resides upon: the user has to wave the card near an NFC-enabled terminal, and the NFC feature is technically configured under the industry (non-regulatory) standards so that the security credentials must be entered from time to time.
Even the highlighted language in the AG’s opinion demonstrates that the card and the NFC feature must constitute the same payment instrument. The NFC feature merely creates the potential for choices to be made about whether and when the user must enter the security credentials related to the card.
Furthermore, it is a legal requirement under the regulatory technical standard that requires strong customer authentication (SCA) that the security credentials must be applied, unless the issuer of the payment instrument/account to which the security credentials relate applies any of the following exemptions:
It would also be wrong, therefore, to conclude (as the AG has) that contactless payments are themselves "not subject to the obligation of strong customer authentication". The regulatory SCA standard requires that the customer must be challenged to provide her security credentials either every fifth time she uses it or when a total transaction value of €150 is reached. This will result in the attempted contactless use being prevented, and an invitation to insert the card in the relevant terminal into which the credentials can be entered.
Certain scenarios may trigger the application of more than one exemption, so the European Banking Authority has said that the limit of five transactions needs to be calculated not on the basis of all transactions where the exemption could have been applied, but on the basis of transactions where the particular exemption was applied. So the use of the card to pay £2.50 at an unattended parking machine should not count towards your five contactless or low-value transactions.
Both the industry and regulatory standards proceed on the basis that there is only one set of credentials issued per card (it's hard enough for consumers to remember one PIN etc per card, let alone multiple PINs for different uses of the card!). Neither the industry EMV standard nor the regulatory SCA standard dictates distinct security credentials for different uses of the card.
Just as the industry standard that requires the entry of the PIN from time to time, the regulatory standard merely provides that an issuer may allow the use of the card without those credentials in seven scenarios, the contactless scenario being one. It would make no sense to consider the SCA requirements in the context of the contactless feature on its own, and it is worth noting that the Advocate General does not contend that the use of a payment card in each of the other scenarios benefiting from an exemption from SCA also constitutes a "payment instrument" in its own right.
The Advocate General also believes that making the contactless feature a distinct payment instrument is also justified by the need for users of NFC-enabled cards to receive "enhanced protection" and to promote fair and transparent competition between the issuers of such cards. However, PSD2 already addresses these points insofar as any payment service provider who fails to apply SCA (unless the issuer has applied an exemption) will be liable for any resulting unauthorised transaction, and could face enforcement action (now delayed to 14 September 2021)).
It is also important to recognise that contactless use of a payment card still represents the use of the card to "initiate a payment order" and PSD2 therefore requires the resulting transactions to be treated in the same way as other transactions initiated by the card (subject to the 'liability shift' and potential enforcement action related to any failure to use the credentials where the issuer requires). This is consistent with recital 68:
The use of a card or card-based payment instrument for making a payment often triggers the generation of a message confirming availability of funds and two resulting payment transactions. The first transaction takes place between the issuer and the merchant’s account servicing payment service provider, while the second, usually a direct debit, takes place between the payer’s account servicing payment service provider and the issuer. Both transactions should be treated in the same way as any other equivalent transactions.
This is also consistent with the need for 'technological neutrality', which the Advocate General has ironically said somehow requires the separate treatment of the contactless feature. The fact that a debit card and credit card can also reside on the same multi-functional card does not alter the fact that the card itself is still the single payment instrument in each use-case, with the one set of security credentials.
Finally, the terms "card" and "card-based payment instrument" are used interchangeably in the recitals to PSD2, while the term "card-based" is generally used in the operative provisions and refers to any payment instrument/transaction involving a payment card. The only exception is that the expression "execution of payment transactions through a payment card or a similar device" is included among the activities that constitute a regulated "payment service". So, if the AG were correct in holding that the contactless element of a payment card constitutes a separate payment instrument distinct from the card, then it would follow that executing the related payment transactions is not a regulated activity because they are not executed "through a payment card"... This would be confusing for PSPs and a very unfortunately outcome for consumers.
In Part II, to be published in online in July, Simon looks at whether a contactless payment is anonymous and whether the days of the unilateral change clauses are coming to an end. This article has been adapted from a series of posts originally published on Simon's blog, The Fine Print.
Simon Deane-Johns, Consultant Solicitor, Keystone Law and Chair of the SCL Advisory Board