In the event of the loss of a bank card with contactless payment function, the european court of justice has strengthened the position of consumers in the eu.
According to a ruling on wednesday, the customer does not bear the risk for payments made after he has reported the loss of a card to the bank. The latter cannot simply claim that it is technically impossible to block the so-called near field communication (NFC) function for contactless payment, the luxembourg judges ruled (case C 287/19). Banks generally do not require a PIN code to be entered for contactless payments of up to 25 euros with NFC cards or a smartphone. The german credit industry raised this limit to 50 euros in the corona crisis.
The background is a lawsuit filed by the austrian consumer information association (VKI) against denizbank’s general terms and conditions for NFC cards. In it, the bank excludes, among other things, its liability for unauthorized payments. It also points out that the account holder bears the risk of NFC misuse if the card is lost, and that it is not possible to block this function if the card is lost. In the proceedings before the austrian supreme court, denizbank "disputed the vki’s argument that such a blocking was technically possible," but not according to the eugh.
The luxembourg judges have now made it clear that contactless payment is an anonymous payment instrument within the meaning of the relevant eu directive and that this allows the bank to reduce its liability. But the bank could not simply claim that blocking the card was technically impossible, although this was demonstrably false. The customer must be able to report the loss or misuse of the card immediately and free of charge. According to this report, no financial consequences were allowed to arise for the customer – unless he had acted with fraudulent intent.
The transmission of payment data via near field communication (NFC) is generally considered to be secure and mature. Since the distance between the bank card or smartphone and the payment terminal may only be a few centimeters, the transmitted data record ("token") cannot be intercepted remotely. This is what distinguishes NFC from bluetooth radio technology. Moreover, the encrypted token is only valid for this one payment transaction and cannot be used more than once.
Since banks do not require a PIN to be entered at the POS terminal for smaller amounts up to 25 euros, it is at least theoretically possible for attackers to draw an unauthorized payment themselves. To do this, they had to get within a few centimeters of the victim’s NFC card with a small mobile terminal without being noticed, for example in the crowds of a subway train. However, this method of attack can be effectively thwarted by keeping an NFC-enabled credit or checking card in your wallet with others, since multiple NFC-enabled cards block each other. This also works with the new ID card with NFC function.
The german federal office for information security (BSI) therefore considers it "unlikely" that cards will be tapped "in passing. Those who fear an unauthorized payment transaction through NFC can also put their credit or giro card in a shielding sleeve that prevents communication through NFC. To pay via NFC, the card always had to be taken out of the shoulder.