If a bank card with contactless payment function is lost, the European Court of Justice has strengthened consumers in the EU. According to a ruling on Wednesday, the customer does not bear the risk for payments made after reporting the loss of a card to the bank. This could not simply claim that it was technically impossible to block the so-called near field communication function (NFC) for contactless payment, ruled the Luxembourg judges (case C 287 / 19). Banks generally do not require you to enter a PIN code for contactless payments with NFC cards or a smartphone for amounts up to 25 euros.

Blocking not technically impossible The background is a lawsuit by the Austrian Association for Consumer Information (VKI) against the General terms and conditions for NFC cards from DenizBank. In this, the bank excludes its liability for unauthorized payments. It also points out that if the card is lost, the account holder bears the risk of NFC misuse and that this function cannot be blocked if the card is lost. In the process before the Austrian Supreme Court, DenizBank denied “the VKI’s argument that such a blocking was technically possible”, but according to the ECJ not.

The Luxembourg judges have now made it clear that contactless payment is an anonymous payment instrument within the meaning of the relevant EU directive and that this enables the bank to ease liability. But the bank could not simply claim that blocking the card was technically impossible, even though it was proven to be wrong. The customer must be able to report the loss or misuse of the card immediately and free of charge. After this report, there should be no financial consequences for the customer – unless he acted with fraudulent intent.

The transmission of payment data via Near Field Communication (NFC) is largely secure and mature. Since the distance between the bank card or a smartphone and the payment terminal may only be a few centimeters, the transferred data record (“token”) cannot be intercepted remotely. This is what distinguishes NFC from Bluetooth wireless technology. In addition, the encrypted transmitted token is only valid for this one payment process and cannot be used multiple times.

Secret debits unlikely Since the banks do not require a PIN to be entered at the POS terminal for smaller sums up to 25, it is at least theoretically possible that attackers can trigger an unauthorized payment themselves. To do this, they would have to approach the victim’s NFC card with a small mobile terminal unnoticed within a few centimeters, for example in the crowd of a subway. However, this attack method can be effectively circumvented by keeping an NFC-enabled credit or giro card together with others in the wallet, as several NFC-enabled cards block each other. This also works with the new ID card with NFC function.

The Federal Office for Information Security (BSI) therefore considers it “unlikely” that cards will be tapped “in passing”. Anyone who fears an unauthorized payment process through NFC can also put their credit or giro card in a shielding cover that prevents communication through NFC. To pay via NFC, the card would always have to be removed from the case.

(mho)