Contactless payments have become a daily gesture, a symbol of modernity grafted onto a culture, like the Italian one, still tied to the tradition of cash. We bring our card, smartphone, or smartwatch close to the POS and, in an instant, the purchase is concluded. However, this speed and convenience raise a crucial question: what happens if someone uses our card without authorization? In the case of fraudulent contactless transactions, who foots the bill? The answer lies in a precise regulatory balance that protects the consumer but also requires their attention.

European regulations, implemented in Italy, establish clear rules regarding the liability of credit institutions and customers. Understanding this framework is fundamental to navigating the world of digital payments safely, knowing how to act in case of fraud and what your rights are. This complete guide explores responsibilities, refund procedures, and the steps to take to protect yourself, offering a compass to move between innovation and security.

The Context: Contactless Payments Between Innovation and Tradition

In Italy, the adoption of digital payments is constantly growing, but it coexists with a strong attachment to cash, rooted in Mediterranean culture. This duality reflects a dialogue between innovation and tradition. On one hand, NFC (Near Field Communication) technology has made transactions faster and smoother, eliminating the need to insert the card and type the PIN for small amounts. On the other hand, the familiarity and perception of control offered by cash remain a reference point for many. Statistics show an exponential increase in the use of cards and digital wallets, a trend also accelerated by the pandemic. However, this change brings with it new concerns related to security and the possibility of increasingly sophisticated fraud.

The Reference Regulation: What Does the Law Say?

The regulatory framework governing liability in the event of electronic payment fraud is defined at the European level. The legislation aims to create a secure, innovative, and competitive payments market while protecting consumers. Banks and other payment service providers are required to adopt robust security measures and follow clear procedures in case of unauthorized operations, ensuring a high level of protection for users throughout the European Union.

The European PSD2 Directive: The Pillar of Protection

The main regulatory source is the Payment Services Directive 2 (PSD2), implemented in Italy with Legislative Decree no. 218 of 2017. This directive aims to increase the security of electronic payments and combat fraud. One of its pillars is the introduction of stricter requirements for transaction authentication, known as Strong Customer Authentication (SCA). PSD2 also clearly establishes the responsibilities of banks and customers, defining conditions and limits for refunds in the event of unauthorized transactions. Thanks to this regulation, the European consumer enjoys enhanced protection when using digital payment instruments.

Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA) is a security measure imposed by PSD2 to reduce the risk of fraud. It requires that to authorize an online payment or access their account, the user must use at least two of the following three authentication factors: knowledge (something only the user knows, like a password or PIN), possession (something only the user has, like the smartphone on which they receive a code), and inherence (something the user is, like a fingerprint or facial recognition). For low-value contactless payments (usually up to 50 euros), SCA is not always required for every single transaction, but it intervenes periodically (for example, after a certain number of consecutive operations or upon reaching a cumulative amount of 150 euros) to verify the holder’s identity.

The General Rule: Who Pays in Case of Fraud?

When a fraudulent contactless transaction occurs, the law establishes a very clear general principle to protect the consumer. Liability falls almost entirely on the payment service provider, i.e., the bank or card issuer. The credit institution is required to refund the customer unless it can prove that the operation was authorized or that the customer acted with fraud or gross negligence. This principle shifts the burden of proof to the bank, which must therefore adopt state-of-the-art security systems to protect its customers’ funds.

The Bank’s Liability

The bank has objective liability to ensure the security of the payment instruments it provides. This means that, in the event of an unauthorized operation, it is required to immediately refund the amount to the customer, no later than the end of the business day following the report. The credit institution can avoid the refund only if it proves that the transaction was authenticated correctly and there were no technical malfunctions, or if it demonstrates that the customer acted fraudulently or with gross negligence. It is not enough for the bank to generically state that its systems are secure; it must provide concrete evidence that the anomaly is due to negligent behavior by the customer.

The Customer’s Liability Limit: The 50 Euro Deductible

Even when a customer suffers contactless fraud before managing to block the card, their financial loss is limited by law. The PSD2 regulation has set a maximum deductible borne by the consumer of only 50 euros for unauthorized operations carried out before the notification of theft or loss. This means that if a scammer makes purchases for 200 euros with your stolen card, the bank will have to refund you 150 euros. The deductible is completely reset for all operations subsequent to the moment the card is blocked. This measure offers considerable peace of mind, knowing that even in the worst case, the potential loss is contained.

When is the Customer Liable? Cases of Gross Negligence

Although the law broadly protects consumers, there are exceptions. Protection is voided if the bank manages to prove the customer’s “gross negligence.” This is not simple carelessness, but behavior characterized by extraordinary and inexcusable negligence. For example, writing the PIN on the card itself, keeping the PIN and card together in an obvious way, or not promptly reporting the theft or loss to the bank are considered grossly negligent conduct. In these scenarios, the customer could be held liable for the entire stolen sum, as they failed to observe the most elementary rules of prudence in the custody of their payment instruments.

What to Do Immediately in Case of Card Theft or Loss

Realizing you have lost your card or suffered a theft can generate anxiety. However, acting quickly and methodically is fundamental to limiting damage and correctly starting the refund procedure. Following a few clear steps allows you to secure your funds and assert your rights with the bank. Timeliness is the most important factor in eliminating your liability for fraudulent operations.

Step 1: Block the Card Immediately

The first action to take, without hesitation, is to block the card. Every banking institution provides a toll-free number, active 24 hours a day, 7 days a week, precisely for this emergency. Many banks allow you to block it via the mobile banking app with a simple tap. This operation is crucial: from the moment of the block, any subsequent transaction can no longer be attributed to the customer. For a detailed guide on how to proceed, you can consult the article Lost or stolen card: block it immediately! The 3-step guide.

Step 2: File a Report with the Authorities

After blocking the card, it is necessary to go to the Carabinieri station or a Police station to file a report of theft or loss. Although the bank can start the refund process even without this document, the report is a formal act attesting to the event and will be required to complete the repudiation procedure. Keep a copy of the report, as you will need to attach it to the refund request to be submitted to your bank.

Step 3: Send the Refund Request to the Bank

With the copy of the report in hand, contact your bank to formally repudiate the fraudulent operations and request a refund. Each institution has its own forms and a specific procedure, often accessible online or via the app. It is important to list all unauthorized transactions and attach the required documentation. The bank will launch an internal investigation to verify the validity of the request. To further protect yourself, consider if RFID protection is really needed for your wallet.

The Refund Procedure: Times and Methods

Once the repudiation request has been sent, the bank is required by law to refund the disputed amount by the end of the next business day, crediting the funds back to the customer’s account. This “immediate” refund can only be suspended if the institution has a well-founded suspicion of fraud by the customer themselves and communicates this to the supervisory authorities. Subsequently, the bank has the right to carry out its own investigations and, if it proves the customer’s gross negligence, it could re-debit the refunded amount. It is important to know that you have up to 13 months from the debit date to contest an unauthorized operation.

What Happens if the Bank Refuses the Refund?

If the bank denies the refund claiming gross negligence by the customer, but you believe you acted correctly, all is not lost. The first step is to file a formal complaint with the bank’s complaints office. If the response is still negative or does not arrive within the expected timeframe, it is possible to turn to the Banking and Financial Ombudsman (ABF). The ABF is an independent and impartial body that offers an alternative dispute resolution to the court, which is faster and cheaper. Its decisions, while not binding like a sentence, are almost always respected by banks so as not to compromise their reputation.

Conclusions

The growing spread of contactless payments has simplified our daily lives but has also introduced new questions about security. The European PSD2 regulation offers a solid safety net for consumers, placing the main liability for fraud on banks and limiting the customer’s exposure to a maximum deductible of 50 euros. Knowing that, in the absence of gross negligence, a refund is a guaranteed right allows these innovative tools to be used with greater peace of mind. The key lies in adopting prudent behaviors, such as carefully guarding your credentials and acting extremely quickly in case of theft or loss. Being informed consumers is the first and most effective form of defense in the digital age, a perfect balance between embracing innovation and maintaining the tradition of prudence.

Frequently Asked Questions