Luxembourg (dpa) – If a bank card with contactless payment function is lost, the Court of Justice of the European Union has empowered EU consumers.
According to a ruling on Wednesday, the customer does not assume the risk of payments made after informing the bank about the loss of a card. This cannot simply state that it is technically impossible to block the so-called near field communication (NFC) function for contactless payment, the Luxembourg judges ruled (case C 287/19). As a general rule, banks do not require you to enter a PIN code for contactless payments with NFC cards or a smartphone for amounts up to 25 euros.
The background for this is a lawsuit by the Austrian Association for Consumer Information (VKI) against DenizBank’s general terms and conditions for NFC cards. In this, the bank excludes its liability for unauthorized payments. It also notes that if the card is lost, the account holder is at risk of NFC misuse and that this feature cannot be blocked if the card is lost. In the proceedings before the Austrian Supreme Court, DenizBank denied “the VKI’s argument that such a blockade was technically possible”, but according to the ECJ it was not.
The Luxembourg judges have made it clear that contactless payment is an anonymous payment instrument within the meaning of the relevant EU directive and that this allows the bank to alleviate liability. But the bank couldn’t just claim that blocking the card was technically impossible, even though it was proven wrong. The client must be able to report the loss or misuse of the card immediately and free of charge. After this report, there should be no financial consequences for the client, unless he acted with fraudulent intent.
Transmission of payment data via Near Field Communication (NFC) is generally considered secure and sophisticated. Since the distance between the bank card or a smartphone and the payment terminal can be only a few centimeters, the transferred data record (“token”) cannot be intercepted remotely. This is what distinguishes NFC from Bluetooth wireless technology. Also, the encrypted transmitted token is only valid for this payment process and cannot be used multiple times.
Since banks do not require a PIN to be entered at the POS terminal for smaller sums of up to 25 euros, it is at least theoretically possible for attackers to initiate an unauthorized payment themselves. To do this, they would have to approach the victim’s NFC card with a small mobile terminal without being detected within a few centimeters, for example, in the one meter crowd. However, this method of attack can be effectively bypassed by keeping one NFC-enabled credit or money order card along with others in the wallet, as multiple NFC-enabled cards lock each other. This also works with the new ID card with NFC function.
Therefore, the Federal Office for Information Security (BSI) considers it “unlikely” that the cards will touch “in passing.” Anyone fearing an unauthorized payment process via NFC can also place their credit card or money order in a protective cover that prevents communication via NFC. To pay via NFC, the card must always be removed from the case.