File 96074

TOWARDS A COMPREHENSIVE LEGISLATION ON LIABILITY:
A COMPARATIVE ANALYSIS OF LIABILITY RULES FOR UNAUTHORIZED

TRANSACTIONS IN CASE OF CARDING IN THE US, EU AND AUSTRALIA
{Final version, 19.109 words, excluding prefaces, footnotes, attachments and bibliography}
A Thesis of Master Program in Law and Technology

Universiteit van Tilburg
by
Safari Kasiyanto
866990
Supervisors:
Prof. J.E.J. Corien Prins
Dr. Ir. Mr. M.H. Maurice Schellekens
TILBURG
AUGUST 2009
Table of Contents
List of Figures and Table ................................................................................................................ 5
List of Abbreviations ...................................................................................................................... 6
Preface ........................................................................................................................................... 7
Chapter I ........................................................................................................................................ 8
Introduction ................................................................................................................................... 8
1.1. Study Background.......................................................................................................... 8
1.2. Research Questions ..................................................................................................... 11
1.3. Aim and Trigger ........................................................................................................... 13
1.4. Methodology ............................................................................................................... 14
1.5. Structure ...................................................................................................................... 15
Chapter 2 ..................................................................................................................................... 16
Credit Cards, Credit Card Frauds, and Carding ........................................................................... 16

2.1. Credit Card: An Overview ............................................................................................ 16
2.1.1 Credit Card Use in the US ................................................................................ 20
2.1.2 Credit Card Use in the EU ................................................................................ 21
2.1.3 Credit Card Use in Australia............................................................................. 21
2.2. Credit Card Frauds and Carding .................................................................................. 22
2.2.1 Carding ............................................................................................................. 26
2.2.2 Fraud Detections ............................................................................................. 27
Chapter 3 ..................................................................................................................................... 30
Regulatory Frameworks of Liability for Unauthorized Transactions in Different Countries .... 30

3.1 US…………. .................................................................................................................... 30
3.1.1 Introduction ..................................................................................................... 30
3.1.2 Unauthorized Transaction ............................................................................... 31
3.1.3 Liability for Unauthorized Transaction ............................................................ 33
3.1.4 Notification ...................................................................................................... 34
Master Thesis in Law and Technology
3.1.5 Other Related Legislations .............................................................................. 34

3.1.5.1 The CCFA .............................................................................................. 34
3.1.5.2 Fair Credit Billing Act (FCBA) ................................................................ 35
3.1.5.3 The FCRA .............................................................................................. 36
3.1.5.4 The FACTA ............................................................................................ 37
3.1.5.5 Identity Theft Acts ............................................................................... 38
3.1.6 Case Laws......................................................................................................... 39
3.1.6.1 Case Laws before the TILA ................................................................... 39
3.1.6.2 Case Laws after TILA ............................................................................ 40
3.1.7 Evaluation/Drawback ...................................................................................... 42
3.1.8 Conclusion ....................................................................................................... 44
3.2 EU…………. .................................................................................................................... 45
3.2.1. Introduction ..................................................................................................... 45
3.2.2. Unauthorized Transaction ............................................................................... 46
3.2.3. Liability for Unauthorized Transaction ............................................................ 47
3.2.4. Notification and Gross Negligence .................................................................. 48
3.2.5. The PSD and the EFT Recommendation .......................................................... 49
3.2.6. Case Laws......................................................................................................... 51
3.2.7. Evaluation/Drawbacks ..................................................................................... 52
3.2.7.1. ‘Leave it to the judge’ to decide ......................................................... 53
3.2.7.2. Application of a presumption of negligence ..................................... 54
3.2.7.3. Burden of proof in fact ....................................................................... 54
3.2.7.4. Liability for card-not-present transactions......................................... 56
3.2.8. Conclusion ....................................................................................................... 57
3.3 Australia....................................................................................................................... 58
3.3.1 Introduction ..................................................................................................... 58
3.3.2 Unauthorized Transaction ............................................................................... 59
3.3.3 Liability for Unauthorized Transaction ............................................................ 60
3|Page
3.3.4 Notification ...................................................................................................... 62

3.3.5 Case Law .......................................................................................................... 63
3.3.6 Evaluation: Advantages and Drawback ........................................................... 64
3.3.7 Conclusions ...................................................................................................... 66
Chapter 4 ..................................................................................................................................... 68
Reasons Why the Present Regulatory Frameworks are not Adequate..................................... 68

4.1 Complexity of the Payment’s and the Fraud’s Methods ............................................ 70
4.2 Implementation of the Laws: Burden of Proof in Fact ................................................ 72
4.3 Third Party Liability...................................................................................................... 74
4.3.1 Shifting Liability from Issuer to Acquirer ......................................................... 74
4.3.2 Merchant’s Liability ......................................................................................... 77
4.4 Minimize the Fraud Losses, The Supposed Goal ......................................................... 78
Chapter 5 ..................................................................................................................................... 81
Concluding Remarks .................................................................................................................... 81

5.1 Conclusions.................................................................................................................. 81
5.2 Recommendations ...................................................................................................... 84
Attachments ................................................................................................................................ 86
Attachment 1 Notification from Rabobank’s management concerning blocking of author’s
card that has been skimmed ........................................................................... 86
Attachment 2 A copy of skimmed card ................................................................................... 87
Attachment 3 Correspondence between the author and Rabobank’s management
concerning request to have a short discussion on skimmed card and its
rejection ........................................................................................................... 88
Attachment 4 Top ten countries in the world where the victims of identity theft live .......... 89
Data of 1 January-31 December 2008 ..................................................................................... 89
Attachment 5 Two Examples of Phishing ................................................................................ 90
Bibliography................................................................................................................................. 91
4|Page
List of Figures and Table
Figure 1 Relationship between Parties in Credit Card Transactions

Figure 2 The Four-Party Arrangement of Credit Card Payment
Figure 3 Credit Card Growth in the US in 2000, 2006 and projection in 2010
Figure 4 Number of Issued Credit Cards in the EU from 2003-2007
Figure 5 Credit Card Growth in Australia from 2000-2008
Figure 6 How Fraudulently Used Consumer Information is Obtained
Figure 7 How Fraud is Detected
Figure 8 How Length of Time for Fraud Detection Impacts Fraud Amount
Figure 9 Model of Liability Shifting among Parties Involved in Credit Card Mainstream
Table 1 Comparative analysis of regulatory frameworks on liability allocation for losses

resulting from unauthorized use of credit cards between the US, the EU and
Australian laws
5|Page
List of Abbreviations
ASIC Australian Securities and Investments Commission

ATM Automated Teller Machine
AUD Australian Dollar
CCFA Credit Card Frauds Act
EC European Commission
ECB European Central Bank
EDC Electronic Data Capture
EFT Electronic Funds Transfer
EFTCC Electronic Funds Transfer Code of Conduct
EU European Union
EUR Euro
FACTA Fair and Accurate Credit Transactions Act
FCBA Fair Credit Billing Act
FCRA Fair Credit Report Act
FTC Federal Trade Commission
JCB Japanese Credit Bureau
MOTO Mail Order Telephone Order
PIN Personal Identification Number
PSD Payment System Directive
RBA Reserve Bank of Australia
TILA Truth in Lending Act
US The United States of America
USD American Dollar
6|Page
Preface
This thesis discusses the liability regimes for losses resulting from unauthorized use of credit
cards specifically in case of carding in the three different jurisdictions: the US, the EU, and
Australia. The goals are to have a comparative analysis on how those different legal
frameworks regulate the liability for the losses and on how to improve the frameworks,
strengthening the consumer protection provisions and putting the regulation in more balance
manners. It is to be hoped that the outcome can be a benchmark for Indonesia, a country
where the author comes from, and Bank Indonesia, the central bank of Republic of Indonesia
where the author works for, in ruling the issues.
My deepest gratitude goes to Professor J.E.J. Corien Prins, my study advisor as well as my
first thesis supervisor who has always been so kind and patient in assisting the author during
the study as well as during the period of writing this thesis. It goes also to Dr. Ir. Mr. M.H.
Maurice Schellekens, the second supervisor who has spent his valuable time to assist the
author, specifically during critical time.
Many thanks go to my fellow students, Bram P. Woltering for sharing knowledge on how
to search for an excellent and reliable literature, and for giving valuable feedbacks on the early
draft, Daan de Vries and William C. Makwinja for spending some of their precious time to read
the draft and to give useful information full with practical values, and all Indonesian students
for spending time together to pursue higher education degree here in The Netherlands. Finally,
no words can express my gratitude to my mother (rip) who has been and will always be my
inspiration, my father who keeps supporting me during my study and accompanying me for
the defense, my little sister and brothers who are never tired to greet me from my lovely
hometown.
Tilburg, 19 August 2009
7|Page
Chapter I
Introduction
1.1. Study Background

It took a while for the world to accept the idea of using credit as a way of life, but when it did -
in the form of credit cards- it embraced it unambiguously.1 According to data from the US
Census Bureau, there were almost 1.5 billion credit cards held by approximately 173 million
people in the US alone, with a debt of nearly USD886 billion in 2006.2 In other parts of the
world, such as EU members region and Australia, the numbers of credit card holders had
reached 142 million by 2007 for EU3 and 20.3 million by 2008 for Australia4. It is a proof of
what Karl Marx said a couple decades ago that the credit system appears furtively as it were in
the beginning, but in the end it manifests itself as a gigantic social mechanism.5
One reason why credit cards have grown so rapidly is because they bring about new
benefits in payments. Credit cards as a “new” method of payment have succeeded in replacing
older methods, such as cash. Among other advantages of this payment method is that it is
easier to use, flexible and convenient for the consumers, and brings profits for the issuers as
1
The leading state in the use of credit cards for payment instruments is the US. It was discussed by Menninger
in Identity Theft and Other Misuses of Credit and Debit Cards. For detail see Menninger, Karl A., II, J.D.,
American Jurisprudence Proof of Facts 3d, Database updated December 2008, Thomson Reuters/West, 2009,
p. 5-8.
2
Available at http://www.census.gov/compendia/statab/tables/09s1148.pdf, last visited on 27 February 2009.
3
Based on data of European Central Bank. In such data, a credit card is defined as a card with a credit function.
It is available at http://sdw.ecb.europa.eu/reports.do?node=1000001453, last visited on 1 March 2009.
4
Based on data presented by Australian Payment Clearing Association, a self regulatory organization in clearing
of payment instruments in Australia. The data includes what so-called multifunction cards, and available at
http://www.apca.com.au/Public/apca01_live.nsf/All/3B9C3340E2266555CA257553001C9607?OpenDocumen
t, last visited on 1 March 2009.
5
Drury, Tony, and Ferrier W. Charles, Credit Cards, Butterworths, London, 1984, p. 3.
8|Page
well as the merchants.6 When shopping was available through the internet, credit cards
became the preferred payment method for internet shoppers.7 However, the usage of this
technological scheme has also brought new forms of crimes with fraudsters employing entirely
new technologies to manipulate it for illegal economic gains.8 The crimes committed with
credit cards as payment methods vary, from a simple but ingenious type of crimes to
technologically advanced versions.9 The aim of the crimes is mostly to obtain financial gains.10
Moreover, in many cases, it is obvious that credit card issuers as service providers fail to
recover funds from the fraudsters since those criminals are rarely held accountable for their
fraudulent actions.11 In this respect, it becomes financial losses and these losses are very
significant. In 2004, total losses from fraud amounted to USD788.3 million, “slightly” down
from USD882.5 million in 2003.12
The question arises when a credit card is fraudulently used for (unauthorized) payments
and it fails to recover the funds from the fraudsters, who will be liable: the card issuer, the
6
Jones, A. Sally, The Law Relating to Credit Cards, BSP Professional Books, London, 1989, p. 12-15. In this book,
Jones used terms of creditor, debtor, and supplier instead of issuer, user/consumer, and merchant.
7
Based on a result of survey conducted by Global Concepts, Inc., during May-August 1995. The consumers
ranked credit cards as their first preference of payment method for making purchases on-line. The similar
survey with the same result had also been conducted by principal of credit cards. For details see Gainer,
Randy, Allocating The Risk of Loss for Bank Card Fraud on the Internet, John Marshall Journal of Computer and
Information Law, Fall 1996, p. 1, f.n. 5.
8
Sharma, Dhruv, and Thakur Divyang, Data Theft: An Emerging Crime in the Information Technology &
Intellectual Property Regime (with Special References to Credit Card Frauds), p. 5-7, available at
http://ssrn.com/abstract=1103286, last visited on 25 February 2009.
9
Sharma, Ibid. More extensively on credit card frauds, in particular carding, will be discussed in Chapter 2.
10
See Wall, David S., Cybercrime, Polity Press, Cambridge, UK, 2007, p. 72-102. In his book, Wall does not discuss
specific issues on credit card frauds but elaborate a very detail issue on computer-assisted crimes such as
virtual robberies, scams and thefts. It can be concluded, however, that all those crimes leave financial losses
to the consumers and financial institutions.
11
See Chaikin, David, Network Investigations of Cyber Attacks: The Limits of Digital Evidence, Crime Law Soc
Change (2006) 46:239-256, 15 March 2007, p. 239. In this article, Chaikin highlights the limits of digital
evidence as one important reason causing the failure of criminal prosecutions.
12
The Nilson Report No. 830, March 2005 in Cheney, Julia S., Identity Theft: Do Definitions Still Matter?,
Discussion Paper, Payment Card Center, Federal Reserve Bank of Philadelphia, August 2005, p.8.
9|Page
holder/consumer or other third parties?13 In order to elaborate on the answer, the

relationship between issuer, cardholder, and merchant needs to be outlined.14 As shown in
Figure 1, the relationship among the parties in a credit card transaction is rather complicated,
although their legal position has never been tested in the courts. 15 The legal relationship
between the parties is mainly contractual, but there are also public laws that apply to several
issues out of contractual coverage. One important issue is who will be liable when a credit card
is fraudulently used and results in financial losses to the parties.
Figure 1 Relationship between Parties in Credit Card Transactions
Different legal systems in different countries or regions have different regulatory

frameworks on ruling liability for losses resulting from fraudulent use of credit cards. There is a
13
Merely relating to consumer protections in online contracts Steennot, a Professor of Consumer Law of Ghent
University, Belgium, have ever risen the question. However, this study will have different focuses on
elaborating the issues, among others are focusing on the liability in case of carding regardless the payment is
made in an on-line or off-line method and comparing the liability regimes of the subject in several countries.
For details of consumer protections in online wolrd, see Steennot, Reinhard n.d., Consumer Protection
Relating to Contracts Concluded Online, Journal of Texas Consumer Law, available at
http://www.jtexconsumerlaw.com/V9N1pdf/V9N1european.pdf, last visited on 1 March 2009.
14
These are the obvious parties involved in a credit card transaction scheme. Currently, a credit card scheme is
involving one more party, a financial institution, which plays as an acquirer. For detail on this four party credit
card, see section 2.1 of this thesis.
15
Drury, op. cit., p. 85-97. In his book, Drury provides an evidence that the legal relationship between parties
involved in a credit card mainstream has never been questioned before the court in the UK.
10 | P a g e
general principle that issuers are prohibited from charging consumers for losses incurred by
the fraudulent use of bank cards including credit cards.16 But whatever the principle says, it
seems that consumers always lay on the weak positions.17 Since more than four decades ago,
issuers had been trying to shift every loss in credit card frauds to the consumers. 18 At that
time when credit cards were introduced, the issuers had already put a strict but wide-range
clause in the contract to hold consumers fully responsible for all transactions they have
made.19 Facing those conditions, the consumers will then in fact suffer damage for the
financial losses from the fraudulent use of their credit cards.
1.2. Research Questions

Based upon conditions described above, it is possible to sketch what a typical liability regime in
credit card frauds may look like. Using the methods described by Balboni on trustmarks,20
therefore the scenario of credit card users suffering damage will be as explained below. In this
thesis, we use scenario described by Balboni to explain how credit card users suffer damage
for the following reasons. First, nowadays, most of the online transactions use a credit card as
their payment method/instrument. Thus, the biggest parts of online transaction consumers
are credit card holders. Second, it is undoubted that consumers in online transactions and
credit cardholders have the same level of knowledge concerning the security of a transaction
method and therefore they put their trust on the service providers or merchants to perform a
16
For instance, two federal statues in the US: Electronic Funds Transfer Act 1978 and Consumer protection Act
1970 regulate fraud losses from unauthorized use of credit and debit cards in this favor. For details discussion
on this issue, see Grainer, op. cit., p. 2-4.
17
This is one of the underlying issues of this thesis. In the analysis and comparative elaboration of this thesis, we
will discuss on how laws and private network rules weaken the consumer’s position. For detail discussion, see
Chapter 3 and 4.
18
Credit Cards: Distributing Fraud Loss, Notes and Comments, Yale Law Journal, June 1968.
19
See Id.
20
Balboni, Paolo, Trustmarks: Third-party Liability of Trustmarks Organizations in Europe, Tilburg University,
Tilburg, 2008, p. 14-18. In his dissertation, Balboni elaborates the legal underlying issues to hold trustmark
companies liable for losses resulting from unauthoized transaction caused by unsecured infrastructures of
online transactions provided by those companies.
11 | P a g e
transaction; and finally, they stand at the same position to bear the potential losses resulting
from unauthorized transactions.
A credit card holder, trusting the security, privacy and business practices promoted by
merchant, decides to perform a transaction using a credit card as payment method. To
complete the transaction, the credit card user must provide personal data to the merchant
together with the relevant payment details such as the credit card number, expiry date and
bank details.21 The transactions may have been succeeded but then the consumer receives
over charges in the billing statement, stating that she has made another transaction. It seems
obvious here that the consumer’s card has been fraudulently used to perform an unauthorized
transaction, but in fact it will be very difficult for the consumer to make a claim and then
remove those over charges. Some barriers on regulations such as notification obligations for
consumer for card lost or stolen, consumer’ obligation to avoid negligence in using credit cards
as payment instruments, a presumption of extreme negligence applied in some countries,
questions on who should bear the burden of proof, and difficulties on providing evidences,
have placed consumer in a very precarious situation. Do the laws rule the condition explained
above in the favor of issuers or are they merely because of the implementation of the laws
that ruins the balance?
To guide this study in a narrow path, the background above leads to the following legal
questions:
1. How do different legal jurisdictions rule on the liability for unauthorized transaction in
case of carding22?
To have a comprehensive input on liability in different legal jurisdictions, the study has
chosen to analyze regulatory frameworks in the US, EU level, and Australia.23
21
Balboni, Ibid.
22
Carding refers to the unauthorized use of credit card account information to fraudulently purchase goods and
services. For detail elaboration on carding, see section 2.2. under title of “carding”.
23
For details of the reasons why the US, EU and Australia have been chose, see Section 3 of this chapter.
12 | P a g e
2. Do the laws on liability in case of carding in those different countries regulate the
position of consumer in an adequate manner?
3. How to improve the rules on liability for losses resulting from carding in those
countries?
1.3. Aim and Trigger
Ultimately, the goal of this thesis is to provide an analysis of laws on liability for losses
resulting from fraudulent use of credit cards in different legal systems. In the information age
where the payment methods have been rapidly developed, in particular since the introduction
of internet and electronic commerce, the evaluation of such laws becomes greatly important
for all stakeholders in payment system activities, including consumers, authorities or
regulators, business, and financial institutions as service providers. The focus of the
elaborations on the adequacy of the existing laws and how to improve them will give benefits
in particular for regulators to put more balanced rules on liability allocations. This goal cannot
be separated from the fact that the author of this thesis works for Bank Indonesia, the central
bank of Indonesian Republic, which plays a role as a regulator and holds authority of monetary
policy and payment systems in Indonesia, and also the fact that Indonesian laws have not yet
set forth a specific nor general rule of liability for losses resulting from unauthorized
transactions of credit cards. The elaboration of such issues in this thesis will greatly benefit for
Bank Indonesia in ruling on the subject.24
Furthermore, this study has also been triggered by personal experience of the researcher.
During finalization of this study, the researcher had received a notification from Rabobank, the
24
Since 1996, Bank Indonesia has conducted a research to regulate those issues as a part of fund transfers
policy. Now, in cooperation with Department of Justice and Human Rights of Indonesia Republic, Bank
Indonesia is preparing a draft of bill regarding Funds Transfer. The draft is now being discussed by the
government and the parliament. Since 2003 to 2008, this thesis author had actively participated in preparing
the draft.
13 | P a g e
bank where the researcher has saving accounts, stating that his card has been skimmed. 25 The
notification also states that the card has been blocked to avoid loss from unauthorized
transactions, and that the bank will send a new card within 5 days after notification and a new
PIN within 3 days afterward. Although the card in this case is a debit card26 and Rabobank has
refused the researcher’s request to have a short discussion on the issue 27, this personal
experience is evidence that nowadays skimming or other types of identity theft crimes can
easily occur. Thus, elaboration on how laws protect parties involving in payment card scheme,
specifically consumers, what are advantages and disadvantages of the legislations, and how to
improve them is very important to prevent further damages into the society and to increase
the confidence of the use of credit cards as a payment instrument.
1.4. Methodology
To answer the research questions described above, this thesis will be fully based on literature
research. The study will start off by reviewing the regulatory frameworks of liability regimes in
cases of carding in different countries: US, Australia and EU. They have been selected because:
(1) they represent areas where the use of credit cards as payment instruments is the biggest
among others,28 (2) identity theft, which is usually the main source of credit card frauds
including carding, often happened, conducted, or had victims in that areas, 29 and (3) each has
different legal systems and distinctions in regulating liability for credit card consumer or issuer
in particular when frauds occurred. The EU has issued a new Directive 2007/64/EC of 13
November 2007 on Payment Services in the Internal Market amending 4 Directives and
25
See attachment 1 for detail Rabobank’s notification that has been received by email.
26
Debit card is a payment card that directly connects to a saving account and needs a personal identification
number or a signature to perform a transaction. In this case, the card is Maestro card under MasterCard
International private network and uses PIN to perform transaction. For detail information, see a copy of the
card on attachment 2.
27
See the researcher’s email to request a discussion and the answering email from the Rabobank’s management
on attachment 3.
28
For detail data of credit card use in these three countries see section 2.1.1-2.1.3.
29
For details discussion on identity theft see section 2.2.1-2.2.3, and for statistics of top ten countries where the
victims of identity theft live see attachment 4 of this thesis.
14 | P a g e
repealing 1 Directives.30 This directive must be forced into member states’ national laws
before 1 November 2009. Before this new Directive, there was only a non-binding
Recommendation 97/489/EC of 30 July 1997 concerning transactions carried out by electronic
payment instrument, which has not been very successful in Europe31. On the other hand, the
US has specific laws regulating the subject: the amendment of the Truth in Lending Act 1970
and Regulation Z, while Australia has “only” implemented soft laws for the subject: Australian
Electronic Funds Transfer Code of Conduct.
1.5. Structure
For the structure, this study will firstly give an overview on credit cards, an elaboration of
credit card frauds e.g. identity and data thefts, skimming, and account take over, and an
explanation of carding. They will be discussed in Chapter 2. Subsequently, the study will
outline the regulatory frameworks of liability in case of carding in the US, EU, and Australia, in
Chapter 3. As a bridge to answer the research questions, Chapter 4 of the study will analyze
why such frameworks are not adequate. After having an understanding on regulatory
frameworks of liability in case of carding in the US, EU level, and Australia, the study will be
confirmed by an in-depth comparative analysis among three regulatory frameworks and
recommendations in Chapter 5. It will end with concluding remarks in Chapter 6.
30
This regulation will be elaborated in section 3.2.
31
Steennot, Reinhard, Allocation of Liability in Case of Fraudulent Use of an Electronic Payment Instrument: The
New Directive on Payment Services in the Internal Market, Computer Law and Security Report 24 (2008) 555-
561.
15 | P a g e
Chapter 2
Credit Cards, Credit Card Frauds, and Carding
To give a good understanding of the underlying issues on the topic, in this chapter we will have
a brief overview of what a credit card is, which parties are involved and what agreements they
use. It will then be followed by a description of the use of credit cards in the three different
countries chosen. Since the main problem of this thesis is liability for losses resulting from
credit card fraud transactions, it is also important to know what credit card frauds mean. Thus,
this chapter will also explain the definition of credit card frauds, including carding, and
elaborate on the frauds of credit cards in the US, EU and Australia.
2.1. Credit Card: An Overview

The term “credit card” was first introduced by Edward Bellamy in his 1887 utopian socialist
novel, Looking Backward.32 It was used to name a utopian payment instrument that can be
used to purchase goods by borrowing money. Beside Bellamy’s use of the term more than 120
years ago, what is a credit card? Nowadays, there are several definitions of a credit card. The
US Truth in Lending Act 1970 for instance defines a credit card as “any card, plate, coupon
book or other credit device existing for the purpose of obtaining money, property, labor or
services on credit”.33 It is, however, physically a flat, -by- piece of plastic engraved with a name
and an account number that allows its holder to perform two functions: (1) to transact quickly
and efficiently, and (2) to borrow a certain amount of funds to finance a specific purchase or
service34, a key feature that simultaneously enhances the utility and risks of credit cards.35
32
See Bar-Gill, Seduction by Plastic, Northwestern University School of Law, Northwestern, 2004, p. 1380-1381.
33
15 U.S.C.A. § 1602 (k)(1994). See also Reg. Z, 12 C.R.F. § 226.2(a)(15)(1998).
34
Bar-Gill, Supra note 32, p. 1380.
35
Porter, Katherine, The Debt Dilemma, Michigan Law Review, 2008, p. 1169.
Credit cards present a significant socio-economic phenomenon.36 The success of credit

cards manifests itself in a number of ways, including: (1) credit cards are the main instrument
in discretionary and entrepreneurial spending, (2) the underlying system of credit cards is less
expensive than other instruments such as check, and (3) they are more profitable than those
other alternative instruments.37 From the perspective of cardholders, credit cards also offer a
specific benefit which is useful in emergencies: ease of obtaining funds, lack of stigma at time
of borrowing, versatility or easy to use.38
Beside those benefits, credit cards also bring their own risks. The well-known risks of
credit cards are: a rise in bankruptcies, financial distress, and declines in personal saving
rates.39 The real risks, however, are a set of social problems that, perhaps, goes far beyond
credit cards themselves, including rampant consumerism, escalating indebtedness, pervasive
fraud and crime, invasion of privacy, dehumanization of our daily lives, and increasing of
homogenization of the world’s culture.40
A credit card can gain a significant market share only if cooperation among three-sided
network of participants is established: the financial institutions decide to issue it, consumers
decide to carry it, and merchants41 decide to accept it.42 However, a credit card transaction
36
See Bar-Gill, Supra note 34, p. 1373-1374. In this article, Bar-Gill is not only stating that credit cards are
important, but also saying that they are dangerous because their bad debt is a notoriously prominent
component of overall consumer debt and a leading culprit in consumer bankruptcy cases.
37
Watkins, John P., Book Reviews, Charging Ahead: The Growth and Regulation of Payment Card Markets by
Ronald J. Mann, Cambridge; New York, 2006, Journal of Economic Issues, December 2007, p.1188-1190.
38
Littwin, Angela, Beyond Usury: A Study of Credit Card Use and Preference among Low-Income Consumers,
Texas Law Review, February 2008, P. 457-462.
39
Watkins, John P., Supra note 37.
40
Ritzer, George, Explorations in the Sociology of Consumption: Fast Food, Credit Cards and Casino, Sage
Publication, London, 2001, p. 71-107. In this book, Ritzer gives an in-depth elaboration on the sociological
impact of credit card use in the modern world. This can play a significant role to understand the problem of
credit cards, including the increase of credit card frauds and crimes, which has a strong connection with
underlying issues of this thesis.
41
For an excellent analysis on a theory of a credit card acceptance by merchant, see Masters, Adrian and
Rodriguez-Reyes, Luis Raul, Endogenous Credit-Card Acceptance in a Model of Precautionary Demand for
Money, Oxford Economic Papers 57, Oxford University Press, 2004, p.157-168. In this paper, Masters states
17 | P a g e
may involve two, three, or four contracts between two, three or four parties. Since discussions
on liability cannot be separated with the discussions on which party will be held liable,
elaboration on the parties involved in credit card arrangement is necessarily important.
In the two-party credit card, the merchant and the issuer is the same person; thus there
are only two parties involved in this agreement though one of those parties acts in the
separate capacities.43 This scheme usually occurs in respect of cash withdrawal when the
cardholder obtains cash directly from the issuer and the use is very rare regarding purchase of
goods or services.44 The three-party credit card is where there are three distinct parties, the
issuer, the merchant and the cardholder all acting independently, so that three distinct
contracts are established.45 The first contract is a credit agreement between the issuer and the
cardholder, the second contract is a cooperation agreement between the issuer and the
merchant, and the third is a sale of good or service agreement between the merchant and the
cardholder.46 Nowadays, that credit cards become a worldwide payment instrument involving
many financial institutions, this three-party agreement has been expanded into four-party
agreement.47 One more party currently added is another financial institution acting as
that a credit card acceptance by merchants is embedded into a simple model of precautionary demand for
money.
42
Mannn, Ronald J., Credit Cards and Debit Cards in the United States and Japan, Vanderbilt Law Review,
Volume 55, No. 4, May 2002, p. 1062. In this paper, Mann describes credit card growths and its problem in
two different countries: the US and Japan. Credit cards in Japan are difficult to grow because of several
reasons. Some which relates to this thesis are limited consumer protection laws and less success to prevent
fraud. The later statement is based on the fact that the fraud rate of credit card in Japan is much higher than is
in the US. For detail elaboration on this issue, see Mannn, Ronald J., Ibid, p. 1087-1093.
43
Jones, A. Sally, Supra note 6, p. 4-5.
44
See Id.
45
Ellinger, E.P., Lomnicka, E., and Hooley, R.J.A., Ellinger’s Modern Banking Law, Fourth Edition, Oxford
University Press, New York, 2006, p. 585-587.
46
See Id. See also Jones, A. Sally, Supra note 44, p. 4-5, 72-75, and 95-97. The later reference also provides a
scheme of three-party agreement.
47
For an excellent elaboration on four-party involvement in a credit card transaction, see Mann, Ronald J.,
Charging Ahead: The Growth and Regulation of Payment Card Markets, Cambridge University Press, New York,
2006, p. 20-28.
18 | P a g e
intermediary in credit card payment and often known as acquirer.48 The four-party credit card
mechanism is described in Figure 2 below.
Figure 2 the Four-Party Arrangement of Credit Card Payment49
Beside the complexity of a credit card transaction scheme, the use of credit cards has
also involved a huge number of people as consumers. Almost 400 million people are currently
involved as consumers of credit card payments solely in the US, EU and Australia. Each person
holds one or more credit cards50 issued by prominent financial institutions which are members
of the major worldwide networks such as Visa, MasterCard, American Express, Diner Club,
Discovery and JCB. Thus, protection of this huge amount of people is important to maintain
the consumer confident to use credit cards as one of reliable payment system instruments.
Description of the use and growth of credit cards in those three different countries is below.
48
See also Schudelaro, Ton, Electronic Payment Systems and Money Laundering, Risks and Countermeasures in
the Post-Internet Hype Era, Wolf Legal Publisher, The Netherlands, 2003, p. 165-166.
49
Mann, Ronald J., Supra note 47, p. 21.
50
A cardholder may hold more than one credit card. In the US, for instance, one cardholder possessed an
average of 6 credit card accounts in 1995 and more than 8 credit cards in 2006. See Szwak, David A., Credit
Cards in America, Vermont Bar Journal & Law Digest, October 1995, p. 38 for data in 1995, and the study
background on section 1.1 for data in 2006.
19 | P a g e
2.1.1 Credit Card Use in the US
The first credit card in the world was a charge card introduced in the US in 1950 by Diner
Club.51 Since then, credit cards have become the preferred payment instrument among the US
citizens. Nowadays, credit cards in circulation in the US have reached 1.5 billion and are held
by almost 200 million people. The growth of credit cards in this country is also remarkable, in
particular the value of credit card transactions which reached 1,950 billion USD in 2006,
increased by 57% from 1,242 billion USD in 2000. This has been projected to continually grow
until 2010, at least by 5% for the cardholders, 9% for the cards in circulation, 41% for the
transaction volume and 33% for credit card debts.52 The growth of credit cards in the US from
2000 to 2006, and projection in 2010, can be seen in figure 3 below.
3.000
2.500
cardholders (million)
2.000
number of cards (million)
1.500
volume of credit card
1.000
purchase (billion USD)
500 Credit card debt (billion

USD)
0
2000 2006 2010, proj.
Figure 3 Credit Card Growth in the US in 2000, 2006 and projection in 2010 53
51
For the historical use of credit cards in the US, see for instance Evans, David S., and Schmalensee, Richard,
Paying with Plastic: the Digital Revolution in Buying and Borrowing, Second Edition, The MIT Press, Cambridge,
Massachusetts, 2005, chapter 1, p. 1-24.
52
All data used in this section are based on The Nilson Report, Carpinteria, CA, as quoted by the US Census
Bureau, available at http://www.census.gov/compendia/statab/tables/09s1148.pdf, last visited on 23 June
2009.
53
This figure has also been made based on The Nilson Report, Carpinteria, CA. See Id.
20 | P a g e
2.1.2 Credit Card Use in the EU
The first credit card launched in the EU region was Barclaycard in the UK in 1966. 54 It took off
relatively slowly until the Access card was launched in 1971 and reached 11.5 million cards in
circulation in May 1988.55 Since that time, credit cards then have rapidly grown in UK and
within other EU member states. From 2003-2007, the credit cards averagely grew by 15.38%
per annum and had reached 142 million cards spreading within the 27 member states.56 The
growth of issued credit cards in the EU region from 2003 to 2007 is seen in figure 4 below.
160.000.000
140.000.000
120.000.000
100.000.000
80.000.000 Number of Issued Credit

60.000.000 Cards in EU
40.000.000
20.000.000
0
2003 2004 2005 2006 2007
Figure 4 Number of Issued Credit Cards in the EU from 2003-2007 57
2.1.3 Credit Card Use in Australia
Compared to the other two countries above, credit cards in Australia are less used. In 2000
credit card accounts in this country were still below 10 million and had not yet reached 15
54
See Jones, Sally A., Supra note 46, p. 1.
55
See id.
56
All data used in this section are based on data provided by European Central Bank on its website, available at
http://sdw.ecb.europa.eu/reports.do?node=1000001453, last visited on 23 June 2009.
57
This figure has also been made from data provided by ECB on its website. See id.
21 | P a g e
million last year.58 It increased approximately 50% within 8 years. However, the volume and
value of transactions have significant growth. The volume of credit card transactions in
Australia in 2000 was 680 million transactions and the value was 77.8 billion AUSD in the same
year. In 2008 it had increased by 112% for the volume becoming 1,454 million transactions,
and by 183% for the value becoming 220.2 billion AUSD. The detail data of credit card growth
in Australia is shown on the figure 5 below.
250.000
200.000
150.000 Number of Credit

Accounts (in Hundreds)
Transaction Volume (in
100.000
Ten Thousands)
Transaction Value (in
50.000 million AUSD)
Figure 5 Credit Card Growth in Australia from 2000-2008 59
2.2. Credit Card Frauds and Carding
As explained in the previous sections, credit cards play an important role as the most preferred
payment system instrument among a huge number of people. However, they also bring their
58
These are based on data provided by Reserve Bank of Australia (RBA) on its website, www.rba.gov.au. Search
“Payment System Statistic” and the data are available under “Credit Card Transactions”. RBA does not
provide data of credit card amount in circulation but data of credit card accounts. It is rather important to
note that a single credit card account may have at least one or more issued credit card(s). Thus, in reality the
numbers of the issued credit cards in Australia are more than the data mentioned in this paragraph.
59
This figure has been made from data provided by Reserve Bank of Australia in its website, available at
http://www.rba.gov.au/PaymentsSystem/PaymentsStatistics/payments_data.html, last visited on 23 June
2009
22 | P a g e
own risks. One important risk is with regard to credit card fraud and the financial loss they
leave, which we will discuss below.
Credit card frauds involve some methods, such as fraudulent uses of other people’s
credit cards (refers to use of burglary, robbery, invasion and collection of stolen cards to find
legal credit cards), credit card forgery, credit card application with forged documents, use of
credit cards for illicit financing, looking for authorization loopholes to conduct scams, and
frauds committed by the staff at financial institutions.60 These frauds sound very abstract but
they lead into the same goal, the willingness of the fraudsters to gain financial benefits. The
methods of those frauds can be classified into at least two groups: “low-tech” frauds using
traditional methods and “hi-tech” methods.61
In traditional frauds, the fraudsters use manual methods to have a legal credit card to
perform transactions, such as pick pocketing, stealing or “dumpster diving”, while in “hi-tech”
methods the fraudsters employ technology to collect information needed to perform credit
card transactions. In the later methods, fraudsters usually compromise computer databases or
use the Internet,62 for instance spamming including Nigerian’s spam63, phishing64, skimming65,
60
See Yu-Feng, Ma, Tendency and Responses to Credit Card Fraud in Taiwan, Sweet & Maxwell Limited and
Contributors, 2005, p. 345-347.
61
See for instance Bradford, Terri and Cundliff, Bruce, Payment Fraud: Consumer Considerations, Payment
System Research Briefing, Federal Reserve Bank of Kansas City, May 2006, and Simon, Jeremy, Credit Cards,
Debit Cards and Payment Fraud, available at http://www.creditcards.com/credit-card-news/credit-card-fraud-
and-safety-of-your-cards-1276.php, last visited on 10 July 2009.
62
For a comprehensive discussion on this, see for instance Smith, Marcia S., Identity Theft: the Internet
Connection, CRS Report for Congress, Congressional Research Service, The Library of Congress, 16 March
2005.
63
In this sense, fraudster is spamming cardholders by sending unsolicited email to cardholders to trick them to
give their personal identity needed to perform a transaction using a credit card, such as credit card numbers,
expiry dates, and 3 digits of credit card security codes. In case of Nigerian’s spam, the fraudsters pretend to
live in Nigeria, have a lot of money to be claimed, and, therefore, need the cardholders’ personal identity to
claim the money. The fraudsters’ funds are, of course, only imaginary since the aim of the fraudster is to steal
cardholders’ identity.
64
Phishing is the term used to name the method explained in note 49. See Bradford, Terri and Cundliff, Bruce,
Supra note 61, p. 5. For an example of phishing, see attachment 5 of this thesis.
23 | P a g e
cybersquatting66, typosquatting67, and sending a worm or virus such as a Trojan horse into the
cardholders’ computer to record their information including PIN. The latter method is often
called identity theft.68 The methods fraudsters use to obtain consumer information to perform
their fraud transactions are explained in figure 6 below.
65
Skimming is the process of recording and making a copy of credit card information using a device called
“skimmer”. The fraudsters swipe a legal credit card into the skimmer and all the data will be copied and stored
in the device. To conduct a transaction, the fraudsters store back the skimmed data into a blank card. See
Bradford, Terri and Cundliff, Bruce, Id., p. 4.
66
The fraudsters create a fake but very similar website of merchants or issuer, for instance bankmandiri.com (a
fake website) instead of bankmandiri.co.id (the genuine website). The display and all contents in the fake
website are made exactly the same with the genuine one. A negligent customer may ignore the detail website
she wants to visit and mistakenly performs a transaction at that fake website. All transactions she has made,
including personal information she has used, is then recorded by the fraudsters.
67
Typosquatting is similar with cybersquatting. In typosquatting, the fake website is made specifically for
cardholders who have wrongfully typed the address of the website, for instance clickbca.com, cilckbca.com, or
kilkbca.com instead of the genuine website, klikbca.com.
68
For a various discussion on identity theft, see Cheney, Julia S., Supra note 10, Fonté, Erin, Who should pay the
price for identity theft?, Federal Lawyer, September 2007, Menninger, Karl A., II, J.D., Supra note 1, Parker, Lori
J., Esq, Cause of Action for Identity Theft, Causes of Action Second Series, Database updated November 2008,
Smith, Marcia S., Identity Theft: The Internet Connection, CRS Report for Congress, Updated September 15,
2003, available at http://italy.usembassy.gov/pdf/other/RS22082.pdf., Welborn, Angie A., Identity Theft and
the Fair Credit Reporting Act: An Analysis of TRW v. Andrews and Current Legislation, CRS Report for Congress,
Updated September 12, 2003, available at http://assets.opencrs.com/rpts/RS21083_20030912.pdf, Welborn,
Angie A., Remedies Available to Victims of Identity Theft, CRS Report for Congress, Updated April 19, 2005,
available at http://lieberman.senate.gov/documents/crs/identitytheft.pdf, Are you a target for identity theft?,
Consumer Reports; Sep 1997; 62, 9; ABI/INFORM Global, pg. 10.
24 | P a g e
Computer viruses, Online purchase

Phishing
spyware, or 1%
3%
hackers Garbage
Stolen paper mail
5% 1%
or by fraudulent
Taken by a
change of address
corrupt buusiness
9%
employee
15%
Some
other way
7%
Accessed as part By friends,
of an in-store/on- acquintances,
site/mail/telepho relatives, or in-
ne transaction home employees
7% 15%
Stolen from a Lost or stolen

company that wallet,
handles a checkbook, or
consumer's credit card
financial data 31%
6%
Figure 6 How fraudulently used consumer information is obtained 69
It is rather important to note that identity theft is a big problem in countries where
payment systems have been well-developed, in particular after Internet and online payment
have been introduced. In the US, for instance, Consumer Sentinel70 reported that 258,427
complaints of identity theft and 555,472 complaints of frauds without identity theft occurred
within 2007.71 Victims of identity theft may incur damaged credit records, unauthorized cash
withdrawal from their credit account, and unauthorized charges on credit cards through
unauthorized point of sale transactions.72 The cardholder usually bears losses resulting from
these fraudulent transactions since in most cases the fraudsters are rarely held accountable
for criminal offences.73 There are a number of explanations for the lack of successful
69
Based on 2006 Javeline Strategy & Research as cited in Bradford, Terri and Cundliff, Bruce, Supra note 65, p. 1.
The sample size of the survey was 206 respondents and based on those who knew how their information was
obtained.
25 | P a g e
74
prosecution, and one of them is the dependence on digital evidence. Discussion on the
unsuccessful prosecution of cyber criminals and dependency of digital evidence, however, is
beyond the scope of this thesis.
2.2.1 Carding
What is carding actually? What is the difference between carding and frauds? The term
“carding” refers to the unauthorized use of credit and debit card account information to
fraudulently purchase goods and services.75 To make it simple, fraud is the effort used by
criminals to steal cardholders’ information that can be used to perform a transaction, while
carding is the processes when the fraudsters use the information to perform a transaction,
gain financial benefits and leave financial losses to the credit card parties. However, the term
has evolved recently to include an assortment of activities surrounding the theft and
fraudulent use of credit card account numbers including computer hacking, phishing, cashing-
out stolen account numbers, reshipping schemes, and Internet auction fraud. 76 The person
committed to the carding is referred to as "carder".
70
A network that collects information about consumer frauds and identity theft from the US Federal Trade
Commission and more than 125 other institutions.
71
Federal Trade Commission, Consumer Fraud and Identity Theft Complaint Data: January-December 2007,
report, Washington DC, February 2008, available at www.ftc.gov/opa/2008/02/fraud.pdf, last visited on 11
July 2009.
72
Welborn, Angie A., Remedies Available to Victims of Identity Theft, CRS Report for Congress, Congressional
Research Service, the Library of Congress, 19 April 2005, p. 1-11.
73
An in-depth elaboration of impediments to prosecution can be found in chapter 3 of Smith, Russell G.,
Grabosky, Peter and Urbas, Gregor F., Cyber Criminals on Trial, Cambridge University Press, 2004, as in
Chaikin, Supra note 11, p. 239-240.
74
See Chaikin, David, Id, p. 239.
75
Peretti, Kimberly Kiefer, Data Breaches: What The Underground World of “Carding” Reveals, Santa Clara
Computer and High - Technology Law Journal; Jan 2009; 25, 2; ABI/INFORM Global, p. 380. Although the
definition of carding widely applies including for debit cards, in this thesis the term will be used merely
relating to credit cards.
76
See id, p. 381-382.
26 | P a g e
2.2.2 Fraud Detections
Knowing that a fraud has occurred is very important in defining liability. Thus, how can we
detect fraud? Fraud detection can be done in two ways: either outside detection or self
detection.77 In outside detection, the issuer or other related party provides notification to the
cardholder, for instance a direct notification from the issuer that the credit card has been
skimmed,78 or an indirect notification received from a debt collector when the debt has passed
the due date. On the other hand, in self detection the cardholder discovers the fraud by
herself through some due diligence, for examples when the cardholder reviews or monitors
billing statements, credit reports or credit account, and she finds any suspicious transactions
that she has never done. 79 Based on a survey in 2006, 53% frauds have been detected outside
and 47% frauds have been detected by the cardholder herself.80
Self
Detection
Outside 47%
Detection
53%
Figure 7 How fraud is detected 81
77
Bradford, Terri and Cundliff, Bruce, Supra note 69, p. 2
78
This has personally been experienced by thesis author. See Chapter I section 3 of this thesis for explanation on
this experience and see Attachment 1 on notification from Rabobank’s management concerning blocking of
author’s card that has been skimmed for an example of a skimmed card.
79
See Bradford, Terri and Cundliff, Bruce, Supra note 77.
80
Based on 2006 Javeline Strategy & Research as cited in Bradford, Terri and Cundliff, Bruce, Id. The sample size
of the survey was 466 respondents and based on those who knew how identity fraud was obtained
81
See Id.
27 | P a g e
To avoid further damages resulting from the unauthorized use of credit cards, it is
important to detect fraud as early as possible. A study found that the longer a fraud has been
detected, the greater will be the losses. See figure 8 below to understand how length of time
for fraud detection impacts the losses.
25000
20000
Fraud amount ($)
15000
10000
5000
0
0 2 4 6 8 10 12 14
Months
Figure 8 How length of time for fraud detection impacts fraud amount 82
Furthermore, later fraud detection can put cardholder in a precarious situation in

denying the fraud transactions or in pursuing restitution for damages. In case of TRW v.
Andrews, for instance, the US Supreme Court rejected the claim of Andrews, a victim of
identity theft, because she filed the law suit more than two years after TRW disclosed the
report (approximately 17 months after she became aware of inaccurate information on her
credit report).83 The US Fair Credit Reporting Act (FCRA) requires cardholder to file suit “within
two years from the data on which the liability arises.”84 Learning from this case, it is important
82
Based on 2006 Javeline Strategy & Research as cited in Bradford, Terri and Cundliff, Bruce, Id, p. 4.
83
See Andrews v. TRW as in Welborn, Angie A., Identity Theft and the Fair Credit Reporting Act: Analysis of TRW
v. Andrews and Current Legislation, CRS Report for Congress, Congressional Research Service, the Library of
Congress, 12 September 2003.
84
15 U.S.C.A. 1681p. See Welborn, Angie A., Id., p. 2.
28 | P a g e
for cardholder to do due diligence of her credit reports, billing statements and credit accounts
to detect fraud as soon as possible in order to have full protections of the law.
29 | P a g e
Chapter 3
Regulatory Frameworks of Liability for Unauthorized
Transactions in Different Countries
In this chapter, we will discuss the regulatory frameworks of liability for losses resulting
from unauthorized use of credit cards in three different countries: the US, EU level and
Australia. Basically, two types of regulations apply here: public laws and private card network
rules.85 The analysis of regulatory frameworks in this chapter, however, will be mainly based
on the public laws for the following reasons: (1) public laws set forth minimum standards that
must be followed by the credit card parties; thus, the private card network rules cannot be
established at a protection level less than the rules required by public laws, (2) public laws
apply, are binding and enforceable for all types of private card networks within the country,
while private card network rules apply merely for the parties involved within its networks.86
3.1 US
3.1.1 Introduction
The US legislations ruling liability for unauthorized transactions resulting from credit card fraud
are the amendment of the Truth in Lending Act 1970 (hereinafter TILA)87 and Regulation Z
enacted by the Board of Governors of the Federal Reserve System.88 These acts contain
85
To have an insight elaboration on this issue, see for instance Furletti, Mark and Smith, Stephen, The Laws,
Regulations, and Industry Practices that Protects Consumers Who Use Electronic Payment Systems: Credit and
Debit Cards, Discussion Paper, Payment Cards Center, Federal Reserve Bank of Philadelphia, January 2005. In
this paper, Furletti and Smith expose Visa and MasterCard rules as private card networks.
86
There are at least five private credit card networks that have set up networks in more than one country. Those
are: Visa International, MasterCard International, American Express (Amex), Japanese Credit Bureau (JCB),
Discovery, and Diner Club International. For have an insight and in-depth elaboration on these private credit
card networks, see Evans, David S., and Schmalensee, Richard, Supra note 51.
87
Pub. L. No. 91-508, § 502 (a), 84 Stat. 1114, 1126-27 (1970) (codified as amended at 15 U.S.C.A. §1643).
88
12 C.F.R. §226 (1998).
provisions that invariably preclude credit card issuers from charging consumers for fraudulent
use of credit cards. 89
To deal with the increasing frequency, volume and complexity of credit card fraud, the
US criminal law was also adapted.90 The TILA, for instance, had been amended in 1970 to
include a federal credit card criminal provision.91 US congress subsequently amended this
section to prohibit the use and transportation of stolen or counterfeit cards, or the receipt of
items obtained by the use of such cards.92 They also set stiffer penalties for credit card
violation in the Credit Card Fraud Act of 1984 (CCFA).93 Issues on liability for credit card fraud
under criminal law, however, is beyond the scope of this thesis.94
3.1.2 Unauthorized Transaction

The US statue defines “unauthorized use” as the use of a credit card by a person other than
the cardholder who does not have actual, implied or apparent authority to use it and from
which the cardholder receives no benefit.95 This definition has drawn dissent interpretations
among state courts in the US. Many state courts interpret “unauthorized transaction” to
protect cardholders only against theft, loss, or similar wrongdoing; thus the cardholder is liable
for all charges incurred made by another person who has received a credit card from and been
granted by cardholder to use it. Yet, not all state courts in the US agree that a cardholder is
89
Beside these legislations, the US has Electronic Funds Transfer Act of 1978 and Regulation E applied for debit
card transactions. Issue on liability for losses resulting from unauthorized use of debit cards, however, is
beyond the scope of this thesis.
90
For a short description on this issue, see for instance Matthews, Mary Elizabeth, Credit Card: Authorized and
Unauthorized Use, Annual Review of Banking Law, 1994, p. 246-247.
91
See Supra note 87.
92
Pub. L. No. 93-495, § 414, 88 Stat. 1500, 1520 (1970) (codified as amended at 15 U.S.C.A. §1644).
92
Pub. L. No. 98-473, § 1602 (a), 98 Stat. 1837, 2183 (1970) (codified as amended at 18 U.S.C.A. §1029).
93
See a brief elaboration on this statue on section 3.1.5.1.
94
To have a comprehensive understanding of the US legal framework, however, other legislations relating to the
liability of credit card frauds will be briefly elaborated under section 3.1.5.
95
15 U.S.C.A. § 1602 (o). For detail elaborations on this issue, see Menninger, Supra note 68, p. 9-10, Matthews,
Mary Elizabeth, Supra note 90, and also Hostetter, Major, Credit Card Liability: But I Told Him (Her) Not to
Charge That Much!, Army Lawyer, October 1991, p. 45-48.
31 | P a g e
held liable for another person’s charges after the cardholder informs the issuer that she
granted this person only limited authority to use the card and this person subsequently abused
that privilege.96 Facing a broad interpretation of the term “unauthorized use” of credit card, it
is important to note that analysis of this thesis is limited only to the subject of liability for
unauthorized transactions resulting from credit card fraud transactions. Although, both terms
of “unauthorized use of credit cards” and “fraudulent use of credit cards” will be used
interchangeable here. However, liability for unauthorized use of a credit card granted to
another person outside the cardholder, without any frauds occurring, is beyond this thesis
analysis.
Scope
The proscriptions against unauthorized use or counterfeit use of credit cards or access devices
apply to: (1) a cardholder who uses a credit card with intent to defraud the issuer, and (2) a
third party who obtains the card from the cardholder with intent to defraud the cardholder.97
Furthermore, the rules also apply for physical use of lost or stolen credit cards, and fraudulent
use of credit card information, including credit card numbers and its expiration date used in
card-not-present transactions over the internet.98 Card-not-present is the term to name
transactions using credit cards as a payment instrument in indirect manner by communicating
information of the credit cards such as card numbers, its expiry date, and 3 digit security
numbers. Examples of these transactions are mail order-telephone order transactions (often
known as MOTO) and online transaction over the internet.99
96
For instance in Alabama, notifying credit card issuer of the restrictions use of a credit card will not protect the
cardholder from subsequent charges. In Louisiana and Ohio, however, cardholder’s liability is being limited
after she notifies issuer that a second party is making unauthorized charges. For detail, see Hostetter, Id., p.
46.
97
See US v. Jacobowitz, 877, F.2d 162 (2d Cir. 1989).
98
See Furletti, Mark and Smith Stephen, Supra note 85.
99
For elaboration on MOTO, online transactions or other card-not-present transactions see for instance
Prevention Guidelines for Card-not-present Retailers, Association for Payment Clearing Services, London, 2002,
available at http://www.netpayments.co.uk/downloads/cnp_booklet.pdf and Visa’s explanation on card-not-
32 | P a g e
3.1.3 Liability for Unauthorized Transaction

The US laws set limitation on liability for unauthorized credit card use.100 A cardholder is
liable for a maximum of USD 50 for the unauthorized use of credit card, and this provision
applies only if:
(1) The card is an accepted credit card,101
(2) Credit card issuer has given the cardholder adequate notice of the potential liability,102
(3) Credit card issuer has given the cardholder a way to notify the issuer of the loss of
unauthorized use of a card, such as a toll-free phone number imprinted on the back of the
card,103
(4) The unauthorized use occurs before the cardholder has notified the issuer of the card,104
(5) Issuer has provided a method of identification of the cardholder.105
There is no liability for cardholder if one of the conditions above is not fulfilled, for
instance when the unauthorized use of the credit card occurs after notification.106 The burden
of proof to show that each of those conditions has been satisfied is on the credit card issuer.107
present transactions available at http://usa.visa.com/merchants/risk_management/card_not_present.html.

Those websites were last visited on 8 August 2009.
100
See 15 U.S.C.A. § 1643. See also 12 C.F.R. § 226.12(b), part of Regulation Z, the Truth in Lending Regulations
promulgated by the Board of Governors of the Federal Reserve Bank of the US. The federal law also provides
criminal penalties for fraudulent use of credit cards and credit access devices but the elaboration on those is
out of the scope of this thesis.
101
15 U.S.C.A. § 1643 (a)(1)(A); 12 C.F.R. § 226.12(b)(2)(i). It rules that the cardholder must have requested,
received, and signed, or used the card for it to be considered accepted. See U.S.C.A. § 1602 (l).
102
15 U.S.C.A. § 1643 (a)(1)(C); 12 C.F.R. § 226.12(b)(2)(ii).
103
15 U.S.C.A. § 1643 (a)(1)(D); 12 C.F.R. § 226.12(b)(2)(ii).
104
15 U.S.C.A. § 1643 (a)(1)(E); 12 C.F.R. § 226.12(b)(3).
105
15 U.S.C.A. § 1643 (a)(1)(F); 12 C.F.R. § 226.12(b)(3).
106
See 15 U.S.C.A. § 1643 (a)(1)(E); 12 C.F.R. § 226.12(b)(3). For short discussion on this provision, see Menninger,
supra note 32, and also Gainer, Supra note 95, p. 44-46.
107
15 U.S.C.A. § 1643 (b); 12 C.F.R. § 226.12(b).
33 | P a g e
3.1.4 Notification
In the US laws, a notification of card lost, theft or misappropriate use from a cardholder plays a
significant role in defining the liability, who will be held liable and under which circumstances.
Once the cardholder has notified the issuer of her card lost or theft, she cannot be held liable
for any losses resulting from the use of the lost or stolen device. However, if the cardholder
has forgotten to notify his card lost or theft, she is liable for the losses but limited to a
maximum of USD 50. In this rule, it is not relevant whether the cardholder has acted
negligently.108
Since notification plays an important role, the US laws require the issuer to provide a
mean for notifying of any losses or thefts of credit cards. If the issuer fails to meet this
requirement, the cardholder cannot be held liable.109
3.1.5 Other Related Legislations
Beside TILA and Regulation Z, there are several other legislations in the US relating to the
fraudulent use of credit cards. Although this thesis emphasizes merely on the civil liability
issues for losses resulting from fraudulent use of credit cards, we will briefly describe these
other related legislations to have a comprehensive understanding of the scope of the liability
laws in the US.
3.1.5.1 The CCFA
The CCFA was enacted in 1984.110 The intents of enactment of this legislation were in response
to significant increases of credit crimes and to expand federal jurisdiction in combating credit
108
For a short discussion on this issue, see Stennot, Fraudulent Payment Transactions, Allocation of Liability in
case of Fraudulent Use of an Electronic Payment Instrument: the New Directive on Payment Services in the
Internal Market, Computer Law & Security Report 24, 2008, p. 560.
109
15 U.S.C.A. § 1643 (a)(1)(C); 15 U.S.C.A. § 1643 (a)(1)(F). See supra note 102 and 105.
110
Pub. L. No. 98-473 § 1602, 98 Stat 1837, 2183-84 (1983) (codified as amended at 18 U.S.C.A §1029).
34 | P a g e
crimes.111 Therefore, this statue defines what activities constitute credit card crimes and what
punishment for each. In details, CCFA criminalizes certain activities as follow: (1) the use of
one or more counterfeit access devices,112 (2) the use of one or more unauthorized access
devices in which during any 1-year period obtains anything of value aggregating USD 1.000 or
more,113 (3) the possession of 15 or more counterfeit or unauthorized access devices,114 and
(4) the possession or use of device-making equipment.115 Furthermore, punishments for each
behavior defined by CCFA vary from (a) a fine, with maximum amount of USD 10.000, or USD
50.000, or USD 100.000, or twice amount of the value obtained by the offense, or (b)
imprisonment, with maximum length for 10 years, or 15 years, or 20 years, or (c) both fine and
imprisonment, depending on whether the act occurs before or after a conviction for another
similar offense.116
3.1.5.2 Fair Credit Billing Act (FCBA)
The FCBA was enacted on 28 October 1974 as amendment of TILA.117 Its purpose is “to protect
the consumer against inaccurate and unfair credit billing and credit card practices”. 118 This
statue establishes a procedure for resolving billing errors in consumer credit transactions. It
defines that “a billing error” includes unauthorized charges and some other suspicious charges
111
See Kruk, Theresa L., J.D., What Constitutes Violation of 18 U.S.C.A. § 1029, Prohibiting Fraud or Related
Activity in connection with Credit Card or Other Credit Access Device, American Law Report, Thomson Reuters.
2009.
112
18 U.S.C.A §1029(a)(1).
113
18 U.S.C.A §1029(c)(2).
114
18 U.S.C.A §1029(c)(3).
115
18 U.S.C.A §1029(c)(4).
116
18 U.S.C.A §1029(c)(1)- 18 U.S.C.A §1029(c)(3).
117
Pub. L. 93-495, 88 Stat. 1500, H.R. 11221.
118
15 U.S.C.A. § 1601(a).
35 | P a g e
made by the issuer.119 Furthermore, a consumer is able to file a claim with the creditor to
resolve billing errors under the FCBA. Until the alleged billing errors have been settled, the
consumer is not required to pay and the issuer may not attempt to collect the payment. 120
The FCBA sets forth the procedures for dispute resolution and therefore requires an
investigation for claims from the consumer. If the alleged billing errors are finally found
occurred, the issuer is obliged to make correction and refund the full amount to the
consumers.121 In summary, this law provides fundamental provisions for cardholders to clarify
any suspicious transactions, specifically those resulted from fraudulent use of credit cards, and
to withhold the payment of those transactions until they have been resolved, and prevents the
issuer from collecting payment for unresolved transactions and forces them to make any
annulments and refunds if the errors occurred.
3.1.5.3 The FCRA
The FCRA was enacted on 26 October 1970122 and amended by the Fair and Accurate Credit
Transactions Act of 2003 (FACTA).123 It establishes a consumer’s rights in relation to her credit
report and imposes certain responsibilities for the “consumer reporting agencies”.124
Specifically, the FCRA applies to the data maintained by a term broadly defined to include
anyone in the business of furnishing reports on the credit worthiness of consumers to third
119
15 U.S.C.A. § 1666(b); 12 C.F.R. 226.13(a). Some other suspicious charges for instances charges for good or
services not accepted by the consumer or charges for which the consumer has asked for an explanation or
proof.
120
15 U.S.C.A. § 1666(c); 12 C.F.R. 226.13(d)(1).
121
15 U.S.C.A. § 1666(a); 12 C.F.R. 226.13(e).
122
Pub. L. No. 91-508, tit. 6, § 601, 84 Stat 1128 (codified as amended at 15 U.S.C.A §1681)
123
Pub. L. 108-159, § 117 Stat. 1952. The FACTA amended the specific provisions regarding the credit reporting
industry in the FCRA. See a brief elaboration on the FACTA on the next section.
124
Those that collect, furnish, and use the information contained in a consumer’s credit report. They are also
commonly known as credit bureaus or credit reporting agencies.
36 | P a g e
parties.125 Concerning protection for the cardholder on credit card transactions, which is one
of underlying issues of this thesis, the FCRA allows consumers filing lawsuit for violations of the
FCRA, including suing the consumer report agencies for disclosing inaccurate information of
those consumers.126 According to this provision, a credit card holder who is a victim of credit
cards frauds could file suit against a credit bureau’s failure to verify the accuracy of
information contained in the report and the agency’s disclosure of inaccurate information as a
result of consumer’s stolen identity. Thus, in the US not only can a cardholder seek remedy for
the losses resulting from unauthorized or fraudulent use of her credit card under TILA but she
is also able to sue credit reporting agency for disclosing inaccurate information of her debt
under FCRA.
3.1.5.4 The FACTA
As described above, the FACTA amended the FCRA concerning the specific provisions on the
credit reporting industry.127 It perhaps contains the most exhaustive provisions in the US
federal laws directed at identity theft.128 The statue aims to protect the privacy of the
information in a consumer’s credit report, assist victims of identity theft, and prevent
fraudulent credit transactions. In details, the FACTA obliges credit reporting agencies to
enhance punishments for identity theft and to provide assistance for the victims.129 Many
provisions in this act require implementation by the Federal Trade Commission (FTC) and the
125
For a brief yet excellent elaboration on the FCRA, see Lee, Margaret Mikyung, Fair Credit Reporting Act: Rights
and Responsibilities, CRS Report for Congress, Congressional Research Service, The Library of Congress, 4 May
2007.
126
15 U.S.C.A. § 1681(n) and 15 U.S.C.A. § 1681(o).
127
See supra note 123.
128
Welborn, Angie A., Identity Theft: The Internet Connection, CRS Report for Congress, Congressional Research
Service, The Library of Congress, 16 March 2005, p. 6.
129
See implementation of the FACTA as discussed in Welborn, Angie A., and Chu, Grace, Implementation of the
Fair and The Accurate Credit Transaction (FACT) Act of 2003, CRS Report for Congress, Congressional Research
Service, The Library of Congress, 3 February 2005.
37 | P a g e
federal banking agency.130 Among other detail provisions relevant to this thesis elaboration are
the law’s requirements for the credit reporting agency to follow certain procedures regarding
when to place, and what to do in response to, fraud warnings on consumer’s credit files,
including fraud alerts for those resulting from credit card transactions. Cardholders who have
been victims of fraud, or expect they may become victims, are now able to have fraud alerts
placed in their files.131 In doing so, cardholders may request a fraud alert from one credit
reporting agency and that agency is obliged to notify the other nationwide similar agencies of
the existence of the alert. Fraud alerts will be maintained in the file for 90 days but the
cardholder may request to extend it.132
Moreover, the FACTA requires credit card issuers to follow certain mechanisms if
additional cards are requested within 30 days of a notification of an address change by a
cardholder, and the truncation on electronically printed receipt of credit card numbers.133
Although not directly addressing the problems of liability allocation for fraudulent use of credit
cards, this statue is of great value on putting the details yet important obligations for credit
card issuers and credit reporting agencies to make sure that they have done all measurements
in preventing the frauds and protecting the cardholders from them.
3.1.5.5 Identity Theft Acts
Despites the laws on liability allocation and other supporting legislations have been above
described there are also laws on identity theft which are important to give the definition and
scope of identity theft. These laws, consisting of Identity Theft Assumption and Deterrence
130
The Federal Reserve System.
131
Pub.L. 108-159, Section 112.
132
See Welborn, Angie A., Remedies Available to Victims of Identity Theft, CRS Report for Congress, Congressional
Research Service, The Library of Congress, 19 April 2005, p. 3-4.
133
See implementing regulation of the FACTA issued by the FTC on 24 June 2004, final rule regarding the proper
disposal of consumer report information and records issued by the FTC on 24 November 2004, and two model
notices published by Board of Governors of the Federal Reserve System on 15 June 2004.
38 | P a g e
Act134 and Identity Theft Penalty Enhancement Act135, prohibit any frauds in connection with
identification documents under a variety of circumstances136 and make them federal crimes.137
3.1.6 Case Laws
Court decisions regarding unauthorized use of credit cards in the US can be classified into two
regimes. The first regime is cases which had been decided by the courts before the enactment
of the 1970 amendment of the TILA, while the second regime is those which took place after
the enactment of the TILA. To have a better understanding of the US regulations, we will
discuss both of the regimes.
3.1.6.1. Case Laws before the TILA
Prior to the enactment of the TILA, agreements between the cardholder and the issuer
governed the liability for unauthorized transactions, including those resulting from fraudulent
use of credit cards.138 In principle, most agreements at that time put the cardholder in a weak
position by placing the burden of losses, resulting from fraudulent use of credit cards, on the
cardholder. Specific provisions had been made and inserted in the credit card’s usage
agreement which stated that the cardholder was liable for all charges to her credit account
until she had returned the physical card to the issuer.139 There was no limitation of the
cardholder’s liability as is now regulated and enforced by the TILA. At that time, the cardholder
had big problems in denying a fraud transaction in particular when her credit card had been
lost or stolen.
134
Pub. L. 105-318, 112 Stat. 3007 (1998).
135
Pub. L. No. 108-275 (2004).
136
Including offense relating to the theft of public money, property, or rewards; theft, embezzlement, or
misapplication by a bank officer; and obtaining personal information by false pretense. See 18 U.S.C.A §
1028A(c).
137
18 U.S.C.A. § 1028(c).
138
See Clark, Stephen C., Walker Bank & Trust Co. v. Jones: New Meaning for the Phrase “Don’t Leave Home
Without It, Utah Law Review, 1984, p. 866.
139
See Clark, Stephen C., Id.
39 | P a g e
Court decisions in the era prior to the enactment of the TILA were mixed. In Uni Serv
Corp. v. Vitiello, for instance, court strictly enforced the contractual clauses by holding
cardholder liable for pre-notification charge made by a thief, even though it exceeded the
credit limit.140 Another court decision justified this stance by holding a cardholder liable for
unauthorized transactions made by a thief in case of Sears, Roebuck & Co. v. Duke. 141 The
worst part from this case was that the judge made the cardholder liable although she did not
know that her cards were stolen and she was not negligent to notify the issuer.142 On the other
hand, another court decision had refused to strictly enforce the contract. The Oregon Supreme
Court for instance had rejected the claim of plaintiff in case of Union Oil Co. v. Lull to strictly
enforce liability clauses because the issuer had failed to prove the authority of the person who
presented the credit card. The court remanded the case for a determination of the issuer’s
negligence. On some other cases, the court determined the liability allocation by considering
negligence, regardless of the liability provisions agreed by the parties.143
These dissenting court decisions lead to the confusion and therefore gave enough
reasons for the government to amend the law. That is why in the 1970 amendment of TILA,
the law then limits cardholder liability for unauthorized transactions. Although, the limitation
applied here is overwhelming.144
3.1.6.2. Case Laws after TILA
As have been previously described, TILA offers certain protections for cardholder in case
fraudulent use of credit cards occurs. After TILA applies, the court decisions follow TILA’s rules
140
See Uni Serv Corp. v. Vitiello, 53 Misc.2d 396, 278 N.Y.S.2d 969 (1967).
141
Sears, Roebuck & Co. v. Duke, 441.S.W.2d 521 (1969).
142
See Id.
143
In Gulf Ref. Co. v. Plotnick, 24 Pa. D. & C. 147 (1935) and Wanamaker v. Megary, 24 Pa.D. 778 (1915), the
negligent cardholders were held liable, while in Gulf. Ref. Co v. Williams Roofing Co., 208 Ark. 362, 186 S.W.2d
790 (1945) and Humble Oil & Ref. Co v. Waters, 159 So.2d 408 (1963), cardholders were not liable held liable
since the issuers were in fault.
144
See section 3.1.7 for the reason why the limitation of the cardholder’s liability applied in the US is
overwhelming.
40 | P a g e
in determining whether a transaction is authorized. If the courts find that the card bearer has
“actual, implied or apparent authority”, they will then decide that the transactions made by
that person were authorized. This determination is reflected in case of Walker Bank & Trust v.
Jones, Harlan v. First Interstate Bank of Utah, and American Express v. Web.145
With regard to certain frauds, the court had decided in case of First National Bank of
Commerce v. Ordoyne, that the credit card holder was not liable when someone else forged
cardholder’s name on the application of a credit card and the cardholder had known nothing
about it until she found that the bills overcharged her with transactions she never made.146 In
this case, the fraud was an application fraud. Moreover, American courts have also
consistently held the issuer to exercise reasonable care and to do due diligence prior to
approval of a credit card application.147 As part of the exercise process is to scrutiny the
underlying information of the application, including the identity and authority of the
applicant.148 The courts also determined that the issuer held a better position in preventing
and stopping “application fraud”. 149
Another case that has been decided is concerning unauthorized use of unsolicited credit
cards. In case of American National Bank v. Rathburn, one court decided that a cardholder,
who had received an unsolicited credit card and never used it, and his ex-wife then took the
credit card and used it to make transactions without an explicit or implicit permission from her
145
See Walker Bank & Trust v. Jones, 672 P.2d 73, 76 (Utah 1983); Harlan v. First Interstate Bank of Utah, 672
P.2d 73 (Utah 1983); and American Express v. Web, 405 S.E.2d 652 (Ga. 1991).
146 th
See First National Bank of Commerce v. Ordoyne, 528 So.2d 1068 (La. App. 5 Cir. 1988), writ denied, 532
So.2d 179 (La. 1988).
147
See First National City Bank v. Mullarkey, 385 N.Y.S. 2d 473, 87 Misc.2d 1 (N.Y. Cir. Ct. 1976); TransAmerica
Insurance Co. v. Standard Oil Co., 325 N.W.2d 210 (N.D. 1982); and Beard v. Goodyear Tire & Rubber Co., 587
A.2d 195 (D.C. App. 1991).
148
See TransAmerica Insurance Co. v. Standard Oil Co., 325 N.W.2d 210 (N.D. 1982) and Beard v. Goodyear Tire &
Rubber Co., 587 A.2d 195 (D.C. App. 1991).
149
See American Airlines v. Remis Industries, 494 F.2d 196, 201 (2d Cir. 1974) and First National Bank Mobile v.
th
Roddenberry, 701 F.2d 927 (11 Cir. 1983).
41 | P a g e
ex-husband, was not liable for all charges made by his ex-wife. The court determined those
transactions made by the ex-wife as “unauthorized transactions”.150
Not only endorsement of TILA regulation on what should be categorized “unauthorized

use” and fraud, the American courts also determine that the burden to prove whether a
transaction is authorized is on the issuer. This can be found in case of Fifth Third Bank/Visa v.
Gilbert, Cities Services v. Pailet, and Michigan National Bank v. Olsen.151
In summary, we can conclude from the cases explained above, that court’s decisions
after TILA have more similarities compare to those before TILA. It is a proof that clear and
comprehensive regulations can lead homogeneity and avoid confusion in court decisions.
3.1.7 Evaluation/Drawback
It is apparently that the US laws on liability for unauthorized use of credit cards offer consumer
protection at the maximum level. As have been described previously, a cardholder in the US
has a very limited liability for losses resulting from fraudulent use of credit cards: she is not
liable for all transactions occurred after the notification,152 or she is liable for maximum of USD
153
50 for transactions occurred before the notification. We will evaluate this regime of
protection, in particular its pitfall, but first we have to know why the US laws regulate the
liability allocation in this favor.
There are at least two reasons why The US laws regulate the liability allocation in this
favor. First, it is based on the fact that the issuer holds a better position, either financially or in
other respects, to absorb the loss resulting from authorized transactions. Moreover, the issuer
of credit cards operates the system to process transactions and therefore it has also a better
150
See American National Bank v. Rathburn, 264 S.2d 360 (La. App. 1972).
151
See Fifth Third Bank/Visa v. Gilbert, 478 N.E.2d 1324 (Ohio App. 1984); Cities Services v. Pailet, 452 So.2d 319
th
(La. App. 4 Cir. 1991); and Michigan National Bank v. Olsen, 723 P.2d 438 (Wash. App. 1986).
152
See section 3.1.4 for the detail discussion on notification.
153
See section 3.1.3 for the detail description on this issue.
42 | P a g e
position to know, monitor or prevent the occurrence of unauthorized transactions.154 In this

respect, the legislator argues that the issuers must be responsible for the losses resulting from
the frauds. Second, the laws applied in the point time before the amendment of TILA put the
consumer in a weak position since most courts at that time enforced the contractual liability
provisions and held cardholder liable for all charges in her credit account until the card is
surrendered to the issuer. It was irrelevant whether the transactions are made by authorized
person or resulting from fraudulent use of the lost or stolen cards. Legislator thought that it
was the right time to cut off the inequities of the laws and put them in more balance manners
by limiting the liability of the cardholder.
Now, we are at the stage to evaluate this regime of protection. It seems that the
legislations give the maximum level of protection for the cardholder from unauthorized use of
credit cards. However, if we talk about efficiency of the payment system, interest of
consumers as a whole, market, economy, society, and the utilitarian point of view, this
maximum level of protection is not at the best. The laws overlooked to put any limitation for
the cardholder’s liability in particular limitation of the time to make notification of lost, stolen
or fraudulent use of credit cards. Thus, it has no significant difference in protection between a
sound, salient cardholder and negligent cardholder. The laws, furthermore, have justified and
immunized negligence.
Why such regime brings no benefit for an efficient payment system, the whole
consumers, market, economy, and society? It goes like this. The issuer will absorb the losses
resulting from unauthorized use of credit cards caused by the negligent consumer. Remember,
the longer it takes for the cardholders to notify the issuer of unauthorized use of credit cards,
154
For an in-depth discussion on the argument that a credit card issuer has a better position –in information and
control—with regard to the occurrence of fraudulent use of credit cards rather than a cardholder so that it is
desirable to burden the loss resulting from those frauds on the issuer, see Credit Cards: Distributing Fraud
Loss, Notes and Comments, Yale Law Journal, June 1968 (Supra note 18). This article was published in 1968,
just two years prior to the enactment of the 1970 amendment of the TILA.
43 | P a g e
the bigger the losses will be.155 Thus, the more cardholder acts negligently, the greater the
damages will be. Afterward, the issuer will not remain static. In a competitive environment,
the issuer which is a profit-oriented financial institution will seek to shift the cost of consumer
negligence back into consumer credit card system through higher fees and charges. 156 Thus,
this regime burdens additional yet unnecessary responsibilities for other consumers. It also
bears negative influence into the market pricing system by increasing the cost and therefore
put severe problem for the payment system to be efficient. To make it worst, if we believed
that consumer negligence correlated well with other sub classes of consumers who need
protection, for instance the elderly or the poor, then we might justify the subsidy base on
unfair distributive justice grounds.157 Thus, if we use utilitarian point of view, this regime could
not be considered a sound legislation for the society since it focuses on the interest of
particular individual (those who acted gross negligence) and ignore the payment system
society (consumer as a whole, efficiency of the systems).
3.1.8 Conclusion
The US laws present the most comprehensive legislations in determining liability for
unauthorized transactions of credit cards. They not only have laws on liability allocation for
losses resulting from the fraudulent use of credit cards, but also supporting legislations on
defining the scope of authorized and unauthorized transactions, laws on fraud including
identity theft, and regulations on how the victims seek remedies for their loss. Furthermore,
the US laws also give protection for the consumer at the highest stake. Since credit cards are
one of the most preferred non-cash payment instruments in that country --approximately 1.5
155
See Figure 8 How length of time for fraud detection impacts fraud amount, under section 2.2.
156
For an insightful elaboration on this issue, see Gillette, Clayton P., and Walt, Steven D., Uniformity and
Diversity in Payment Systems, Chicago-Kent law Review, 2008. In this article, however, Gillette does not
specifically discuss the pitfall of law on credit cards but rather compares laws on several difference payment
instruments such as debit and credit cards, checks, letter of intent and wholesale transfers.
157
See Id, p. 538-539.
44 | P a g e
billion in circulations and owned by almost 200 million citizens--, it is easily understood that
the US laws rule in this favor.
With regard to liability allocation provisions, the laws govern limited liability for
cardholders when the card has been fraudulently used. The cardholder has no liability for all
transactions occurring after she has notified the issuer of the lost, stolen, or fraudulent use of
credit cards. For the transaction occurring prior to the notification, the cardholder’s liability is
limited maximum of USD 50. However, this kind of ‘perfect’ protection has a pitfall. The laws
overlooked to put time limitation of the notification and therefore give almost the same level
of protection between the salient, prudent cardholders and those who have acted negligently,
delaying or at the worst not doing notification of any frauds to the issuer. The loss caused by
these negligent cardholders will then be absorbed by the issuer in which, at the end, will seek
to shift the cost back to the whole credit card consumers through higher charges. Using
distributive grounds as theory, this rule is inequitable for other sub classes of consumers such
as the elderly and the poor, and using utilitarian point of view, this regulation is not desirable
since it emphasizes merely on the interest of few people by immunizing negligence and
ignoring the interest of society as a whole.
3.2 EU
3.2.1. Introduction
At the EU level, liability for unauthorized transactions is dealt with by Directive 2007/64/EC of
the European Parliament and of Council of 13 November 2007 on payment services in the
internal market (hereinafter Payment System Directive or PSD). This PSD is amending
Directives 97/7/EC,158 2002/65/EC,159 2005/60/EC160 and 2006/48/EC161 and repealing
158
Of 20 May 1997 concerning the protection of consumers in respect of distance contracts.
159
Of 23 September 2002 concerning the distance marketing of consumer financial services and amending
Council Directive 90/619/EEC and Directives 97/7/EC and 98/27/EC.
160
Of 26 October 2005 concerning the prevention of the use of the financial system for the purpose of money
laundering and terrorist financing.
45 | P a g e
Directive 97/5/EC162.163 By the enactment of the PSD, it is the first time that the EC introduced
binding rules concerning the allocation of liability in case of fraudulent use of payment
instruments including credit cards.164 Before the PSD, there was only a non-binding
Recommendation 97/489/EC of 30 July 1997 concerning transactions carried out by electronic
payment instruments and in particular the relationship between the holder and the issuer
(hereinafter the EFT Recommendation),165 which has not been very successful in Europe.166
The PSD must be implemented into all member states’ national law before 1 November
2009.167
The principle adopted by the PSD is maximum harmonization. Thus, member states are
not allowed to implement a stringent level of protection for the cardholder into their national
regulations.168
3.2.2. Unauthorized Transaction
According to article 54.1 of the PSD, a payment transaction is considered to be authorized only
if the cardholder has given consent to execute the payment transaction.169 In the absent of
such consent a payment transaction must be considered as unauthorized. Consent in this
161
Of 14 June 2006 concerning the taking up and pursuit of the business of credit institutions
162
Of 27 January 1997 on cross-border credit transfers. The PSD was published through Official Journal of the
European Union L 319, 5 December 2007 p. 1-36.
163
See Official Journal of the European Union L 319, 5 December 2007 p. 1-36.
164
See Steennot, Reinhard, Supra note 31, p. 555.
165
Official Journal of the European Union L 208, 2 August 1997, p. 52.
166
Only Belgium adopted the EFT Recommendation into its national law: act of 17 July 2002, while Denmark
already had Payment Cards Act of 1984 which was replaced by the Act of Certain Payment Instruments of 31
May 2000, a similar rule with the EFT Recommendation. For detail elaboration on this, see Steennot,
Reinhard, Supra note 164.
167
Article 94.1 of the PSD.
168
For an excellent elaboration on this issue, see Mavromati, Despina, the Law of Payment Services in the EU, the
EC Directive on Payment Services in the Internal Market, Kluwer Law International, The Netherlands, 2008.
169
Terms “the payer” and “the service provider” are used in the PSD. In a credit card transaction, the cardholder
plays a role as “the payer” while the issuer plays as “the service provider”.
46 | P a g e
respect may be communicated directly by the cardholder to the issuer or indirectly through
the other party.170 In the case of credit cards, consent is given by the cardholder indirectly and
occurs when the cardholder purchases goods or services using her credit card.171 Furthermore,
article 54 of PSD also regulates the form of and the procedure for giving consent in which both
must be agreed between the cardholder and the credit card issuer.172
3.2.3. Liability for Unauthorized Transaction
The principles of liability for unauthorized transactions adopted by the PSD are as follow:
(1) The cardholder is liable up to a maximum of EUR 150 for the losses resulting from the use
of lost, stolen, or fraudulent of a credit card if:
(a) The transactions occur before the cardholder gives notification of such lost or theft of
the card; or
(b) The cardholder has failed to keep the personalized security features, for instance PIN of
a credit card for cash withdrawal, safe.173
(2) The cardholder is liable for all the losses relating to any unauthorized transactions if he
incurred them by acting fraudulent or by failing to fulfill one or more obligations to use the
credit card in accordance with the terms and conditions and to notify the issuer without
undue delay on becoming aware of loss, theft or frauds, with intent, or gross negligence. In
this case, the maximum amount of EUR 150 does not apply.174
(3) The cardholder has no liability for the losses resulting from the use of a lost or stolen card
if:
(a) Transactions occur after the cardholder has given notification; 175 or
170
See article 54 of the PSD.
171
See Steennot, Reinhard, supra note 166, p. 556
172
See article 54.2 of the PSD for the form of consent and article 54.4 for the procedure for giving consent.
173
See article 61.1 of the PSD.
174
175
47 | P a g e
(b) The issuer does not provide appropriate means for the notification at all times of a
lost, stolen or fraud card.176
In this case, the issuer is liable for such losses, except where the cardholder has acted
fraudulently or gross negligence.177
3.2.4. Notification and Gross Negligence
Two conditions play an important role in defining liability for unauthorized transactions in EU:
notification and gross negligence. Notification is ruled by article 56.1(b), article 57.1(c), article
58, article 61.4 and article 61.5 of the PSD, while gross negligence is dealt with in article 61.2 of
the PSD.
In relation to notification, the PSD makes an important distinction in ruling liability for
unauthorized transactions, between (1) transactions taking place before the notification of any
unauthorized transactions, including but not limited to losses caused by theft or incorrectly
executed payment transactions178, and (2) transactions taking place after the notification.
Similar with TILA in the US, the PSD regulates that the cardholder cannot be held liable for any
transactions taking place after notification.179 In this case, it is not relevant whether the issuer
is actually able to circumvent further use of the lost or stolen card. However, the cardholder
can be held liable for any transactions taking place before notification, with limited amount
maximum of EUR 150.
176
177
Both article 61.4 and article 61.5 of the PSD states this provision.
178
Incorrectly executed payment transactions mostly occur in funds transfer, for instance in credit transfer when
the bank has mistakenly debited account of the payer different with the amount stated in the payment order.
Although very rare, this can also occur in credit card transaction for instance when the cardholder has
mistakenly been ordered by the issuer to make double payments of a single transaction. This type of
unauthorized transaction is, however, beyond the scope of this thesis.
179
Article 61.4 of the PSD. See supra note 175.
48 | P a g e
Furthermore, the PSD obliges the issuer to provide appropriate means at all times for the
cardholders to be able to notify their card lost or theft.180 This rule contains a specific sanction.
If the issuer fails to provide appropriate means for notification, the cardholder cannot be held
liable for all losses resulting from unauthorized transaction, not only those which have taken
place after the cardholder tried to notify of the loss but also those which have taken place
before she tried to make a notification.181
These rules on allocation of liability, however, can be ignored if the cardholder has acted
fraudulently or gross negligence. According to article 61.2 of the PSD, the cardholder shall be
held liable for all losses without limitation182 if she has acted fraudulently or ignored the
obligations of using credit card properly with intent or gross negligence.183 In this case, it is
irrelevant whether the cardholder has made notification of the lost, theft, or misappropriate
or fraudulent use of her credit card. Although playing a significant role, the concept of gross
negligence is not defined in the PSD. Subsequently, the PSD leaves it to the judge to determine
whether certain cardholders’ behavior constitutes gross negligence.184 Therefore, it has no
doubt that this unclear legislation will face severe obstacles on the implementation of the laws
in each member state.
3.2.5. The PSD and the EFT Recommendation
As has been described above, the PSD is a new binding rule replacing several legislations in
some fields including the EFT Recommendation which is a legally non-binding
recommendation. Prior the enactment of the PSD, the implementation of the EFT
Recommendation was assessed by the Commission in a study involving a group of European
180
181
See article 61.5. See supra note 176.
182
In particular maximum limitation of EUR 150 as defined in article 61.1 of the PSD. See supra note 173 and 174.
183
See supra note 177.
184
See article 56 and 61 of the PSD. For a short but clear cut elaboration on gross negligence issues, see Steennot,
Reinhard, Supra note 171, p. 557 and also Mavromati, Despina, Supra note 168, p. 224-225.
49 | P a g e
Universities in 2001.185 This study identifies that there are substantial levels of non-compliance
of member states with the EFT Recommendation. Those which have a strong connection with
this thesis are: (1) failure to limit cardholder’s liability after notification; (2) failure to limit
liability when the credit card has been used without physical presentation or electronic
identification, (3) lack of uniformity across the member states in relation to what constitutes
gross negligence, (4) in most member states the burden of proof is placed on cardholders, and
(5) failure of many issuers to comply with the obligations of notification procedures, including:
(a) some do not explain the notification procedures to the cardholders, (b) in many cases no
particular means are provided by issuers to proof that a notification has been made, (c) some
offer limited access to notify, for instance merely during working hours.186 Based on this result,
the Commission then enacted the PSD in 2007, which one of the main points of attention is
consumer protection at a high level.187
Thus, do liability rules in the PSD differ with those in the EFT Recommendation?
Basically, liability rules defined in the PSD continue with those already defined in the
recommendation. Which party is liable for unauthorized transactions and under which
circumstances remain identical. However, the PSD does not use the term of “extreme
negligence” mentioned in the recommendation to explain exemption of limitation of
cardholder’s liability. Instead, the PSD replaces it with “gross negligence”.188 Furthermore, the
PSD does not contain explicit or implicit rules of liability for card-not-present transaction or
185
Study on the implementation of Recommendation 97/489/EC concerning transactions carried out by electronic
payment instruments and in particular the relationship between holder and issuer. To have a comprehensive
understanding on the assessment, see also Study of user identification methods in card payments, mobile
payments and e-payments of the European Commission, WP 4, Analysis of the possible regulatory and
contractual barriers to the use of available or prospective best technologies, E‐payment study
MARKT/2006/08/F/WP 4, Final Report – 23 November 2007, p. 9-14.
186
See Study on the implementation of Recommendation 97/489/EC, Ibid, p. 6-7, and also Study of user
identification methods in card payments, mobile payments and e-payments of the European Commission, Ibid,
p. 10-11.
187
Study of user identification methods in card payments, mobile payments and e-payments of the European
Commission, Ibid, p. 12.
188
Compare article 61.2 of the PSD and article 6.1 of EFT Recommendation.
50 | P a g e
electronic identification as has been ruled by EFT Recommendation. According to the EFT
Recommendation provisions, the cardholder cannot be held liable if an unauthorized person
fraudulently used the credit card information to perform transactions that are made merely by
communicating the credit card number and its expiry date, for instance mail order or
telephone order (MOTO), or those which have been made over the internet.189 This consumer
protection provisions, however, cannot be found in the PSD, explicitly or implicitly.
3.2.6. Case Laws
Since the PSD will be implemented by member states and take effect starting on 1 November
2009, it is impossible to find any single case law that has been decided based on that
legislation. However, because the liability rule defined in the PSD does not much differ from
those had been stated in the EFT Recommendation,190 we will shortly elaborate some
important cases in the point time when EFT recommendation applied.
Court decisions in the member states vary. The various decisions do not much differ
between the era prior to or after the enactment of the EFT Recommendation. One of the main
reasons perhaps is because EFT Recommendation is not a binding rule so that until the last
time, only a few member states adopted this recommendation into their national law. Only
Belgium has adopted the recommendation by the enactment of Act of 17 July 2002 and on 31
May 2000 Denmark has followed the step in principle’s adoption by enacting the Act of Certain
Payment Instruments.
In Belgium, the court decided that an old woman had acted extremely negligence when
she put her credit card in a purse and left it unintended while she is being examined. 191 It is
similar with a court decision in Germany when the court of Kassel decided a cardholder had
acted extremely negligence when he saved his PIN in a phone number or wrote it down on a
189
See Steennot, Reinhard, Supra note 184, p. 558-559.
190
See section 3.2.5 for detail elaboration on this issue.
191
Vred. Brussels 7 July 2006, Bank Fin.R. 2007, 134.
51 | P a g e
note in his wallet.192 However, these two court decisions are contrary with a court decision in
The Netherlands which had decided that a cardholder who saved his PIN in a phone number or
wrote it down in a note together with notes of phone numbers did not constitute extreme
negligence.193
With regard to what cardholder’s behavior constitutes ‘extreme negligence’, in which the
term has been transformed into ‘gross negligence’ in the PSD, neither the EFT
Recommendation nor the PSD give any clear cut definition or scope. This obscure term has
created particular problems. In Belgium, Court of Appeal had decided that a cardholder who
finds out his credit card missing after one month does not constitute gross negligence.194 The
same court had also decided that it is unnecessary for a cardholder to scrutiny immediately
whether his credit card is missing after his wallet is fallen out from his pocket and someone
has found it and then gave it back to him.195 It is totally contrast with the court decision in
Germany which determined the cardholder extremely negligence merely for saving a PIN and a
card in the same place. However, in several member states it is traditionally accepted that late
notification constitutes gross negligence.196
3.2.7. Evaluation/Drawbacks
It is undoubted that the provisions ruled in the PSD have anticipated the loophole found in
another regulatory framework such as in the US laws. In the previous section, we discussed
how the US laws overwhelmingly protect the consumer by immunizing negligence.197 The PSD
sees this loophole and therefore it has adopted specific provisions to distinguish between the
192
AG Kassel 16 November 1993, W.M. 1994, 2110.
193
GCB 24 September 1994, T.V.C. 1995, 183.
194
Brussels 27 May 2002, NjW 2003, 311, T.B.H. 2004, 158.
195
Brussels 4 October 2005, Bank Fin.R. 2006, 148.
196
At least in Germany and France as mentioned in the Study on the implementation of Recommendation
97/489/EC, See Supra note 186.
197
See evaluation/drawback of the US regulatory framework on section 3.1.7.
52 | P a g e
treatment of sound, salient cardholders and those who have acted grossly negligent.198 The
aim of those provisions is to hold negligent cardholders liable for losses resulting from
unauthorized transactions caused by their negligent behaviors. However, the PSD does not
further define what behaviors constitute gross negligence.
Learning from the implementation of EFT recommendation, it would make any sense if
the obscurity of what behaviors constitute gross negligence in the PSD would leave some
obstacles on the implementation of the laws. Those obstacles cover some important theses
such as ‘leave it to the judge’ provisions, application of a presumption of negligence, burden of
proof in fact, and liability in card-not-present transactions as be discussed below.
3.2.7.1. ‘Leave it to the judge’ to decide
The laws leave it to the judge to determine which cardholder’s behavior constitutes gross
negligence. Remember that this determination is very important to justify whether a
cardholder would be held liable for losses caused by their behavior. If the judge decide that
such behavior constitutes gross negligence, thus the cardholder would be held liable for all
losses without any limitation. Not only losses in which occurred before notification --if she
made one-- but also losses in which occurred after notification. The responsibility of the
cardholder in this case is not limited up to maximum of EUR 150.
The laws that give a greater power and much flexibility to the judge may not be
considered undesirable. However, we should take into account that the EU consists of many
countries with different legal systems and litigation processes. Enacting law consisting ‘leave-
it-to-the-judge’ provision in a multiple legal system like the EU is not desirable. The member
states would find severe problems specifically in implementing such laws. It can be predicted
that the court’s decision for the same case in one member state will not be similar or identical
with those in other states. One court in one member state may determine that a certain
cardholder’s behavior constitutes gross negligence while another court in another member
198
In particular article 61.2 of the PSD. See section 3.2.7.
53 | P a g e
states may not consider it as gross negligence. The range of the court decision can be very
wide. From previous discussions on case laws in several member states,199 the diversity had
already happened by the time EFT Recommendation applied, and there is no strong reason to
guarantee that it will not happen again in the future when the PSD has been implemented.
3.2.7.2. Application of a presumption of negligence
The obscure provisions on what behavior constitutes gross negligence have also led to the
diversity whether member states applying a presumption of gross negligence. In Germany for
instance a presumption of gross negligence is applied today,200 while in Belgium the statue of
17 July 2002 has explicitly prohibited the implementation of a presumption of gross
negligence. In the later country, prohibition of applying the presumption of gross negligence
has also been approved by the Court of Appeal.201 It is important to note that the presumption
of gross negligence is a dangerous adage in point of view consumers. This presumption allows
to justify that a cardholder has acted negligently, merely based upon the fact that her credit
card is successfully used by a third person.202 Thus, the application of this adage will weaken
the laws’ effort to strengthen the consumer protection provisions.
3.2.7.3. Burden of proof in fact
The PSD explicitly states that it is on the burden of issuer to prove the occurrence of the
fraudulent use of a credit card and to prove whether a cardholder has acted with gross
negligence.203 According to article 59.1 of the PSD, there are two principles that must be
followed by the issuer with regard to the burden of proof. First, if the cardholder claims that
an executed transaction is resulted from frauds, the issuer must prove that the transaction is
199
See discussion on case laws on section 3.2.6
200
OLG Celle 27 February 1985, W.U.B. 1985, 95.
201
See Brussels 4 October 2005, Bank Fin.R. 2006, 148.
202
See Reinhard, Steennot, Supra note 189, p. 558.
203
54 | P a g e
authorized.204 To prove whether the transaction is authorized, the issuer must provide
evidence that the transaction has been authenticated, accurately recorded, entered in the
account and not affected by a technical breakdown or other deficiency.205 Second, the PSD
regulates that the issuer is prohibited to rely solely to the success use of payment instrument
for the evidence. The evidence that is merely based on the fact that the transaction has been
successfully made and recorded by the issuer is not necessarily sufficient to prove either the
transaction has been authorized by the cardholder or the cardholder has acted gross
negligence.206
The rules on the burden of proof in the PSD seem tightly protecting cardholder.
However, it is doubtful that the implementation of the rule will be as smooth as its text. In
fact, if a cardholder denies that a transaction has been done, and, however, the issuer could
provide a long list of evidence that the transaction has been authorized by the cardholder, the
cardholder must prove back that her denying is true and that the issuer is wrong. How to
counter the issuer’s evidence if the only proof the cardholder has is a piece of a transaction
slip? The problem of the burden of proof in fact has been known for many years. 207 In 1996,
the Dutch Consumers Association conducted a study to evaluate the consumer position with
regard to proof.208 The study confirmed the weak position of the consumer. In one decision of
the Dutch dispute settlement committee, “Geschillencommissie Bankzaken”, an example of
the weak position of the consumer still can be found. In case number B97116, date of 19
March 1998, for instance, a cardholder who suffered damages from an unauthorized cash
withdrawal at an ATM was held liable for the losses because the issuer was able to prove that
there was no irregularities in connection to the transaction. The data log from the issuer’s
204
Article 59.1 of the PSD.
205
See Id. For a brief elaboration on the burden of proof regulated in the PSD, see Mavromati, Despina, Supra
note 184, p. 220-222.
206
207
Schudelaro, A.A.P., Ir., Electronic Payments and Consumer Protection: Should Recommendation 97/489/EC be
Replaced with a Directive?, Computer Law and Security Report, Vol. 17 No. 2, 2001, p. 106-107.
208
Consumentenbond, ‘Geldklem, Verslag van een actie’, 1996, p. 42 as in Schudelaro, A.A.P., Ir., Id, f.n. 7.
55 | P a g e
system showed that the transaction had been made with authorized card and PIN. Although
the cardholder kept denying that she had not made the transaction, she had no single
evidence to prove it. Furthermore, her statement that her card was never stolen or lost had
strengthened the issuer position.209
Problems on the burden of proof are complex and cannot be solved merely by shifting
the burden of proof from one party to another. The real problem of the burden of proof
actually is the reliability of the issuer’s evidence resulting from its system. Thus, the PSD needs
further legislation to interpret detail provisions of the burden of proof. Without it, the member
states will face obstacles to implement the provisions. When the dispute with regard to an
unauthorized transaction arises, the battle between the issuer and the cardholder --before the
court, in the dispute settlement body, or bilateral between the issuer and the cardholder-- will
not be able to solve merely by shifting the burden of proof obligation.
3.2.7.4. Liability for card-not-present transactions
One of the main differences between EFT Recommendation and the PSD is that in the later
regulation, the provision on disclaiming the cardholder from responsibility of the losses
resulting from unauthorized use of credit cards in card-not-present transactions,210 e.g. MOTO
or transactions over the Internet, has been omitted. In these types of transactions, the buyer
only needs to communicate certain information of her credit card to perform a transaction. In
the earlier stage when these types of transaction were introduced, the buyer only gave the
credit card number and its expiry date. Yes, these transactions use less security compared to
face-to-face transaction and the merchants has no flexibility in scrutinizing the validity of
transactions to avoid frauds.211 Although in the current mechanism of card-not-present
209
See Schudelaro, A.A.P., Ir., Id, p. 109, f.n. 8.
210
It was previously stated in the of the EFT Recommendation. See Steennot, Reinhard, Supra note 202, p. 558-
559 for elaboration on this issue and section 3.2.5 for discussion on the difference between EFT
Recommendation and the PSD.
211
In face-to-face transaction, merchants will do certain procedures of authorization prior to the transaction.
They will check the validity of the card, and in the current mechanism they also possible to check whether the
56 | P a g e
transactions the principal of the credit cards has set forth a security number212 to strengthen
its security, this does not solve the problem of the vulnerability of card-not-present
transactions. The investigation showed that it is easy for fraudsters to obtain security number,
either with conventional or ‘hi-tech’ methods.213 Furthermore, it creates a new problem for
consumers, reducing the speed of transactions and its convenience since this transaction uses
a pop-up display form to be filled by the cardholder. This method is often detected as a virus
by computer antivirus software and therefore it is usually banned by most security software.
In brief, omitting disclaimer provisions for cardholders not to be held liable in card-not-
present transactions in legislation gives rise to problems, not only concerning the protection of
consumer from unauthorized use of her credit card information, but also the speed of
transactions and consumer’s convenience.
3.2.8. Conclusion
Laws on the liability of losses resulting from unauthorized use of credit cards in the EU might
not be as comprehensive as those in the US. The rules do not define in a specific regulation on
credit cards yet they are embedded on a payment system directive that includes regulations
for other electronic funds transfer activities and instruments such as debit cards, credit
transfers or debit transfers. However, the EU laws have been one-step a head in fairly
distributing the losses. They anticipate the loophole found in the US regulatory framework by
inserting specific provisions to hold consumers who have acted with gross negligence liable.
Thus, not all cardholder is protected by the laws. The EU laws protect sound and salient
cardholders by not holding them liable for all losses resulting from unauthorized transactions
card bearer is the cardholder by scrutiny the picture embedded on the card since recently many credit cards
have a photo of its holder on it. Furthermore, and this is perhaps the most important thing, in the face-to-face
transactions, merchants should obtain cardholder’s signature in every single payment.
212
3 digit numbers printed on the back of a credit card. It is called “Verified by Visa” or VBV by Visa and
MasterCard SecureCode by MasterCard. Different with a PIN, this 3 digit security number is created by the
default of the private network system and cardholder is not able to alter it.
213
See discussion on how fraudsters use “low-tech’ and ‘high-tech’ methods to obtain credit card information on
section 2.2.
57 | P a g e
taking place after the notifications and by limiting their liability up to maximum EUR 150 for
losses resulting from unauthorized transactions before the notification. However, once
cardholders act gross negligence, they will be liable for all losses, not only those which
occurred before and after notification but also without any limitation of EUR 150.
Despite their strengths, the EU laws also have their own problems. The obscurity of what
constitutes gross negligence is one of them. Since the laws leave it to the judge to determine
whether certain cardholder behavior constitute gross negligence, this will create diversity on
implementation of the laws. This condition can also lead to the second lack of the EU laws: the
application of a presumption of gross negligence. In point of view consumers, the use of this
adage is dangerous since it justifies that a cardholder has acted negligent merely seeing the
fact that her credit card is successfully used by a third person. The third pitfall of the EU laws is
regarding the burden of proof in fact. The PSD states that the burden of proof, whether a
transaction is authorized or whether a gross negligence presents, shall be on the issuer.
However, the implementation of the laws said in contrast. Finally, the last drawback of the EU
laws is that they have omitted provisions to disclaim cardholder’s responsibility for card-not-
present transactions as have been stated in the earlier legislation. Card-not-present
transaction is a payment method using not only less security but also vulnerable from frauds.
Purging consumer protection provisions for this less secured method will put cardholder in
fragile position from frauds, reducing transaction’s speed as well as consumer’s convenience.
3.3 Australia
3.3.1 Introduction
Australia has no specific statues regulating liability for the loss resulted from credit card frauds.
Yet it has a soft law called Electronic Funds Transfer Code of Conduct (hereinafter EFTCC) to
rule it. EFTCC is a code of conduct made by Australian Securities and Investments Commission
58 | P a g e
(ASIC), a commission set forth by an Australian act214, regulating payment system activities
such as fund transfers and other payments using credit or debit instruments. EFTCC was first
issued on 1 April 2001 and then amended on 18 March 2002 and on 1 November 2008.
EFTCC consists of 4 sections: (1) Part A regulating rules and procedures to govern the
relationship between users and account institutions, (2) Part B regarding rules for consumer
stored value facilities and transactions, (3) Part C on privacy, electronic communication,
administration and review, and (4) Part D with regard to account listing and switching. Liability
for the losses resulting from credit card frauds is ruled by Part A, in particular Section 5 on
Liability for Unauthorized Transactions.
3.3.2 Unauthorized Transaction
Although sub section A from Section 5 Part A EFTCC has the words Definition of Unauthorized
Transaction as its title, the code does not clearly define what “unauthorized transaction”
means. Otherwise, it states the scope in which the code applies. The rules of sub section A
deals with liability for transactions which are not authorized by the user.215 Furthermore, the
clause clearly states that it does not apply to any transaction carried out by user or by anyone
performing a transaction with the user’s knowledge and consent.216 These scope boundaries
are identical with the boundaries made by the TILA.217
214
The Australian Securities and Investments Commission Act 1989, amended in 1998. This act provides the ASIC
authority to regulate consumer protection in the financial system. For detail see e.g. Tyree, Alan L. The
Australian Payment System, Banking and Finance Law Review, October 2001, p. 39-65.
215
See the Australian EFTCC, Part A, Section 5, Sub Section A, Paragraph 5.1.
216
See id.
217
See elaboration of the scope of authorized transaction under the US laws on section 3.1.2.
59 | P a g e
3.3.3 Liability for Unauthorized Transaction
The Australian soft law regulates certain conditions in which the cardholder has no liability for
unauthorized transactions as well as circumstances where the cardholder is liable.218 The
cardholder has no liability for unauthorized transactions related to:
(1) Losses that caused by the fraudulent or negligent conduct of employees or agents of the
issuer or companies involving in credit card networking arrangements, including
merchants,219
(2) Losses from credit card that are forged, faulty, expired, or cancelled,220
(3) Losses that arise from any transaction that occurred before the cardholder has received
the card (including a reissued card),221
(4) Losses that are caused by the same transaction being incorrectly debited more than once
to the same account,222
(5) Losses resulting from unauthorized transactions occurring after notification to the issuer
that the credit card has been misused, lost or stolen or that the security of codes forming
part of the access method has been breached,223
(6) Losses resulting from unauthorized transactions where the cardholder has not
contributed to such losses.224
When the conditions above do not apply, the cardholder is liable for losses resulting
from unauthorized transactions, but only if:
218
Beside these two main rules, other important aspects ruled by EFTCC are notification of the loss, theft or
unauthorized use of devices or codes, specific clauses on unauthorized credit card and charge card, and
discretion to reduce accountholder’s liability where no reasonable daily or periodic transaction limits.
219
EFTCC, Part A, Section 5, Sub section B, Paragraph 5.2(a).
220
EFTCC, Part A, Section 5, Sub section B, Paragraph 5.2(b).
221
EFTCC, Part A, Section 5, Sub section B, Paragraph 5.2(c).
222
EFTCC, Part A, Section 5, Sub section B, Paragraph 5.2(d).
223
EFTCC, Part A, Section 5, Sub section C, Paragraph 5.3.
224
EFTCC, Part A, Section 5, Sub section D, Paragraph 5.4.
60 | P a g e
(1) The issuer can prove on the balance of probability that the cardholder contributed to the
losses through fraud or contravention of EFTCC’s requirement to keep the card and its PIN
safe, the cardholder is then liable for the actual losses which occur before the issuer is
notified that the credit card has been misused, lost or stolen. However, the cardholder is
not liable for any portion of the losses incurred on any day which exceed the applicable of
daily transaction limit, or the portion of the losses incurred which exceeds the credit limits
which the issuer and the cardholder had agreed.225
Furthermore, EFTCC put a detail provision for the contravention of the laws’ requirement
to hold cardholder liable. When access method consists of more than one PIN or codes,
the EFTCC requires the issuer to prove that the cardholder has contravened the EFTCC’s
requirement to keep the card and its PINs safe by voluntarily disclosing or by keeping e
record or a note of one or more PINs but not all of them. In this case, the cardholder is
liable for the losses as described above but only if the issuer can prove on the balance of
probability that the cardholder’s contravention was the dominant contributing of the
losses.226
(2) The issuer can prove on the balance of probability that the cardholder has contributed to
losses resulting from unauthorized transactions by the cardholder unreasonably delaying
notification after becoming aware of the misuse, lost or theft, the cardholder is then liable
for the actual losses which occur between when the cardholder became aware 227 and
when the issuer was actually notified.228 Limitation of liability not to exceed the
applicability of daily limit nor credit limit agreed between the issuer and the cardholder is
still applied.
(3) Where a code such as PIN was required to perform unauthorized transaction, for instance
cash withdrawal using a credit card, the cardholder is liable for maximum of:
225
EFTCC, Part A, Section 5, Sub section E, Paragraph 5.5(a).
226
See Id.
227
Or should reasonably have become aware in the case of lost or stolen card
228
EFTCC, Part A, Section 5, Sub section E, Paragraph 5.5(b).
61 | P a g e
(a) AUD 150 or lower, or229

(b) The balance of any pre-arrange credit,230 or
(c) The actual loss at the time the issuer is notified that the credit card has been misused,
lost or stolen.231
(4) For transactions using PIN (cash withdrawal), the cardholder is found guilty if:
(a) The cardholder voluntary discloses one or more of the PIN to anyone, including family
member or friend;232
(b) The cardholder keeps a record of the PIN on an article without making any reasonable
attempt to protect the record, and carried the record with the card, so that they are
liable to loss or theft simultaneously;233 or
(c) The cardholder acts with extreme carelessness in failing to protect the security of
PIN,234 or
(d) The issuer has instructed the cardholder not to select a numeric code which
represents the cardholder’s birth date or an alphabetical code which is part of the
cardholder’s identities, e.g. name, and warned the consequences of such behavior,
yet the cardholder insists doing so.235
3.3.4 Notification
Notification also plays an important role in defining liability in Australian laws. Similar to the
TILA’s requirements in the US and the PSD clauses in the EU, notification in Australian laws also
sets boundaries when the cardholder has to be liable for losses resulting from the fraudulent
use of the credit cards and under which circumstances. The EFTCC determines that the
229
EFTCC, Part A, Section 5, Sub section E, Paragraph 5.5(c)(i).
230
EFTCC, Part A, Section 5, Sub section E, Paragraph 5.5(c)(ii).
231
EFTCC, Part A, Section 5, Sub section E, Paragraph 5.5(c)(iii).
232
EFTCC, Part A, Section 5, Sub section E, Paragraph 5.6(a).
233
EFTCC, Part A, Section 5, Sub section E, Paragraph 5.6(b) and 5.6(c).
234
EFTCC, Part A, Section 5, Sub section E, Paragraph 5.6(d) and 5.6(e).
235
EFTCC, Part A, Section 5, Sub section E, Paragraph 5.6(d) and 5.6(d).
62 | P a g e
cardholder cannot be held liable for losses resulting from fraudulent use of credit card which
occur after she has notified the issuer of any lost, stolen or fraudulent use of the credit card.
However, the cardholder can be held liable for losses occurring before the notification is made.
To support the implementation of these provisions, the EFTCC requires the issuer to
provide effective and convenient means for the cardholder to be able to notify any lost, stolen
card, or unauthorized or fraudulent use of the card, or breach of security of a code.
Furthermore, the EFTCC provides a detail provision regarding the example of an effective and
convenient, which is a telephone hot line, and it also requires that those means have to be
available at all times for the cardholder to make the notification. If the issuer fails to satisfy
these requirements, the cardholder cannot be held liable for the losses resulting from
fraudulent use of credit cards. Thus, it will be on the burden of the issuer to be responsible for
the losses.236
3.3.5 Case Law
It might be necessarily important to note that while this thesis is being written, there is a large
amount of credit card fraud occurring in Australia. On 1 July 2009, Australian police from the
Identity Security Strike Team, which includes officers from the Australian Federal Police, New
South Wales Police Force, New South Wales Crime Commission, Australian Crime Commission
and Department of Immigration and Citizenship, arrested five people in Sydney and two in
Melbourne over the AUD 6 million frauds.237 They have been accused of manufacturing and
distributing more than 200 fraudulent credit cards a week, using personal details obtained in
Australia and other countries such as Spain, Britain and Malaysia.238 Recently, credit card
236
EFTCC, Part A, Section 5, Sub section F, Paragraph 5.9.
237
Bennett, Adam, Cops Bust $6m Fake Credit Card Ring, Australian IT News, 2 July 2009, available at
http://www.australianit.news.com.au/story/0,,25722491-5013044,00.html. See also Five Alleged Credit Card
Fraudsters Face Court, available at http://www.australianit.news.com.au/story/0,,25722967-5013044,00.html
and Bank Confirms Credit Card Fraud from Bottle Domains Hack, available at
http://www.ecommercereport.com.au/story83.php. All those websites were last visited on 17 July 2009.
238
See Bennett, Adam, Id.
63 | P a g e
frauds in Australia have increased. According to the APCA, scammers in Australia are now
phishing 44.5 cents in every AUD1000 - up from 36.9 cents last year- of the AUD251 billion in
credit card transactions.239
However, it is rather difficult for the researcher to find any cases related to disputes of
civil liability for losses resulting from unauthorized use of the credit cards. Credit card frauds
and the court decision in Australia are rather contrast compare with two other countries that
have been previously elaborated. Many cases of credit card fraud or crimes occurred in
Australia but different with cases in the US or in the EU, the criminals had been arrested by the
police, brought to the court by the solicitor and imprisoned by the judge. It seems that no
dispute occurs among the parties involved in credit card mainstream since each has known
that the fraud happened for real and the fraudsters has been succeeded to be brought before
the court and to be placed in prison.
3.3.6 Evaluation: Advantages and Drawback
Australian Laws provides brief provisions concerning liability for losses resulting from
unauthorized use of credit cards, yet it does not mean that those provisions fail to elaborate
detailed requirements under which each party has its own responsibility. Different with laws in
the US and in the EU, Australian laws have ruled on several detailed aspects that cannot be
found in the US or in the EU laws. Therefore, putting legislations in this favor has its own
advantages and drawbacks.
Compared to another two countries have been elaborated previously, some advantages
of Australian laws can be divided into two mainstreams as follow. First, Australian laws have
inserted the provisions to oblige the cardholder to keep the card and the PIN safe, including
the obligation not to disclose any PIN or code used to perform transaction to the other people
such as family and friends, and not to record the PIN, write it down in a note and save it in the
239
Calligeros, Marissa, Bank Delays Exposing Aussies to Credit Card Fraud, 7 July 2009, available at
http://www.brisbanetimes.com.au/queensland/bank-delays-exposing-aussies-to-credit-card-fraud-20090707-
dbah.html, last visited on 17 July 2009.
64 | P a g e
same place together with the card. These detail provisions cannot be found in the US or in the
EU statues, although they can be found in the court’s decisions in the US or in the EU member
states.240 Putting legislation in this favor will make the implementation of the laws much
easier, different with the EU legislation which leaves to the judge to determine whether such
behaviors constitute negligence. The second advantage is with regard to provisions on access
code. The Australian laws have considered the rapid development of technology by separating
the provisions of access code such PIN and attempting to put liability in case the parties ignore
to put sufficient security to keep such access code safe.241 For any transaction using PIN, when
unauthorized transaction occurred the cardholder is liable for losses, maximum of AUD 150,
the balance of pre-arrange credit, or the actual losses before the notification.242 In case the
issuer can prove that the cardholder has failed to secure her access code, the issuer can hold
the cardholder liable for all losses resulting from fraudulent use of her credit cards. In this
case, the maximum AUD 150 can be ignored to be applied.
On the other hand, the Australian EFTCC also comprises a certain drawback. The most
severe drawback on the liability allocation regulation is concerning the limitation of liability for
the cardholder. As have been described above, the laws define that the cardholder has limited
liability for unauthorized transactions which require an access code such as PIN to be made.
However, the limitations are widely defined, from the maximum of AUD150 liability for losses,
the balance of pre-arrange credit or the actual losses at the time of notification.243 Two
objections arise from consumer’s perspective with regard to the limitation of cardholder’s
240
Although court decisions in the EU member states are widely different settling on this issue, e.g. some courts
in a certain member state determined that writing down a PIN or recording it, and saving it in the same place
with the card are not negligence while the other courts in another member state decided them as gross
negligence, the decision still can be found. For detail elaboration on case laws in the EU, see section 3.1.6.
241
Provisions mentioning PIN in the EFTCC are Part A, Section 5, Sub section E, Paragraph 5.5(a) (mentioning how
to consider the cardholder’s behavior in recording one or more access code as behavior that contravenes the
laws); Paragraph 5.5(c) (limitation of the cardholder’s liability for transactions using an access code);
Paragraph 5.6 (contravention measurements); and Paragraph 5.8 (reasonable attempts to protect security of a
code record).
242
See EFTCC, Part A, Section 5, Sub section E, Paragraph 5.5(c).
243
See Id.
65 | P a g e
liability. First, why the limitation of the cardholder’s liability for maximum of AUD150 only
applies for transaction using an access code such as PIN? It is rather irony since most of the
credit card transaction require a signature for all point-of-sale transactions and only use PIN
for cash withdrawal.244 Thus, it can be concluded that the laws implicitly determined that the
cardholder in the most of credit card transactions, which in fact do not require an access code,
is not protected by those limitations. In simple, the credit cardholder can be easily held liable
for unauthorized point-of-sale transactions. The second objection from the consumers is
although the limitation of liability for the PIN transactions has been defined, those limitations
have been set forth widely not only to include the maximum amount of AUD150, but also can
be chosen from several alternatives such as the balance of pre-arrange credit or the actual
losses at the time of notification. Thus, although the cardholder has a limited liability for PIN-
based transactions, she still has a chance to be held liable not only for maximum amount of
AUD150 of the losses, but also possibilities to be held liable for the actual losses or the pre-
arrange credit depending which one is bigger. Although not supported by any case laws,245 it is
obvious that the limitations have been set in favor of the issuer.
3.3.7 Conclusions
The Australian laws provide a short yet detailed provision regulating the liability for losses
resulting from the unauthorized use of credit cards. Different with laws in the US or in the EU,
the Australian EFTCC has included detailed obligations for the parties to secure the card and
the PIN and attempted to hold liable the party which ignores those obligations. These
provisions cannot be found literarily in the US or in the EU statutes, but only in the case laws.
244
All point-of-sale transactions using a credit card under world-wide credit card networks such as Visa,
MasterCard, JCB, Amex and Dinners Club International are signature-based. There are some certain private
networks which use PIN-based to perform transactions. However, the use of those cards is very limited in
certain countries, for instance local credit cards issued by Bank Central Asia in Indonesia.
245
As been described previously, it is rather difficult to find any case laws in Australia to support this argument.
However, a simple argument using logic is sufficient to show the weak position of the cardholder.
66 | P a g e
Concerning liability for losses resulting from fraudulent use of credit cards, the Australian
EFTCC does not differ with those in the US or the EU laws. It defines that the cardholder is not
liable for losses occurring after she has notified the issuer that her credit card has been
misused, lost, or stolen, or that security of the codes forming part of the access method has
been breached. However, the Australian laws have considered the rapid development of
technology by providing specific regulations for access methods such as PIN which also sets
circumstances for the liability. For PIN-based transactions, the cardholder has a limited liability
for maximum of AUD150, pre-arrange credit, or actual losses at the time of notification. These
limitations give rise two objection from consumer’s point of view; first, they are useless since
most of the credit card transactions use signature-based, and, second, they have been set
forth very widely not only to include maximum amount of AUD150 but also pre-arrange credit
and actual losses.
67 | P a g e
Chapter 4
Reasons Why the Present Regulatory Frameworks
are not Adequate
In the third chapter we have evaluated the drawback of each regulatory framework of liability
applied in the US, EU and Australia. From those evaluations, there is sufficient evidence that
each regime has its own disadvantage, and therefore it can be seen that there is no single
optimal regime of liability allocation which suits the interests of each party involved in credit
card payment mainstream best, in particular from the perspectives of the consumers.
However, in this chapter we will further elaborate and provide more evidences on why those
regulatory frameworks are lack of the adequacy.
Elaboration in this chapter will be addressed in four-step fashions. First, the laws will be
challenged by the development of payment methods and the complexity of frauds. It will be
shown that the existing laws on liability allocations find difficulties dealing with the rapid
improvement of payment methods and frauds, in particular since the Internet and electronic
commerce have been introduced. Furthermore, we will make an analysis on the
implementation of the laws, whether a bias occurred. In this issue, we will focus on one main
problem, issues on burden of proof in fact. Afterwards, we will discuss a long problem of third
party liability that has been implemented by private card networks. Since the underlying legal
frameworks of this thesis are mainly based on public laws, we will only focus into two
important concepts of third party liabilities, (1) shifting liability from the issuer to the acquirer,
and (2) shifting liability to the merchant in certain conditions. Finally, we will emphasize that
the main objective of the laws supposed to be “minimize the fraud losses” and the existing
laws, however, fail to promote efficient fraud avoidance.
To have a better understanding of each regulatory framework, we will first picture a

comparative analysis between those regulatory frameworks, summarizing from the
elaboration in Chapter 3 and relate it to this chapter’s issues. The comparative analysis can be
seen in the table below.
Table of comparative analysis of regulatory frameworks on liability allocation for losses resulting from unauthorized use of credit
cards between the US, the EU and Australian laws
No. Regulation Issues The US The EU Aus

Yes,
1. Limited liability of the cardholder for unauthorized transactions. Yes, USD50 Yes, EUR150
AUD150*)
2. The exemption of the limited liability of the cardholder. No Yes, gross Yes**)
negligence
3. Specific provisions to disclaim that the cardholder is liable for fraudulent use of credit cards in card- No No***) No
not present transaction.
4. Notification is required in defining which party is liable and in limiting the liability of the cardholder. Yes Yes Yes
5. Limited time for notification No Yes****) No
6. Provision on gross negligence No Yes*****) Yes******)
7. The obscurity of the legislation on gross negligence has led to the implementation of a presumption No Yes No
of gross negligence
8. The laws cope with the advanced development of frauds No No Yes
9. Specific provisions mentioning particular party should be burdened to prove whether a transaction is No*******) Yes, issuer Yes, issuer
authorized, and which party.
10. The ultimate objective of the legislation is to minimize fraud No No No
11. Mentioning third party’s liability outside of the issuer and the cardholder, e.g., acquirer’s, merchant’s No No No
*) Applies only for the PIN-based transactions.

**) Since the limitation of the liability only applies for the PIN-based transactions, it means that for another method of transactions such as signature-based,
the limitation does not apply.
***) It was mentioned in the previous legislation, the EFT Recommendation, but not in the current regulation, the PSD.
****) The limitation is not clear cut, only with term “without undue delay”, without any further explanation. However, court decisions in the most member
states have accepted that late notification is considered gross negligence.
*****) Without further explanation of what gross negligence is.
******) It gives examples what behaviors constitute carelessness and therefore they have to be avoided by the cardholders.
*******) Only mentioned in the court decisions.
4.1 Complexity of the Payment’s and the Fraud’s Methods
In the beginning, credit cards might only have been used for ‘face-to-face’ transactions. In this
‘traditional’ method of credit card payments, a consumer conducts a credit card payment by
presenting the card, swiping the card into a device246, and then signing the receipt printed out
from the device. Furthermore, this method also obliges the merchant to check the validity of
the card and its bearer prior to the transaction247 and scrutinize the cardholder’s signature on
the bill, matching with the signature embedded on the back page of the card.248 This is the
simplest way for the cardholder to transact a payment using a credit card, as well as the
easiest way for the merchant to examine the validity of the card and its bearer.
However, the payment method using credit cards nowadays has been rapidly developed
to cover not only face-to-face transactions but also MOTO, and electronic commerce
transactions --those which are made through the Internet.249 In this method, the payment is
conducted by communicating the credit card information such as the credit card numbers and
its expiry date through mail or telephone (for MOTO), or submitting those information via
merchant’s website (for online payment). This method is often called card-not-present method
of transaction. With regard to examination processes prior to the transaction, merchants in
the card-not-present method face more difficulties not only to examine the validity of the card
but also to assure that the person conducting the transaction is the authorized person. They
246
A certain device which is called an “electronic data capture” or EDC and used to read the credit card, to check
the validity of the card, to authorize it, and then to print out the bill of payment to be signed by the
cardholder.
247
See Szwak, David A., Supra note 50, p. 38, and Litan A., Credit Card Companies Provide Little Relief for Online
Fraud, Research Note, Gartner, 31 December 2002.
248
There is always a signature on the back page of a credit card. Private network rules require each cardholder to
sign his credit card before use as a proof that the cardholder has accepted the card and therefore is bound to
the term and obligation to use the card. This may root from the US laws’ requirement that a credit card needs
to be accepted by the cardholders prior to use. See U.S.C.A. § 15 U.S.C.A. § 1643 (a)(1)(A); 12 C.F.R. §
226.12(b)(2)(i).
249
See Douglass, Duncan B., An examination of the fraud liability shift in consumer card-based payment systems,
Federal Reserve Bank of Chicago, p. 43, available at
http://www.chicagofed.org/publications/economicperspectives/ep_1qtr2009_part7_douglass.pdf, last visited
on 13 July 2009.
only have credit card numbers and its expiry date. In this way, there is no sense to validate the
authorization of the person conducting the transaction only based on those data only. 250 Every
person who has knowledge on the numbers of a valid credit card and an expiry date which is
not due will be able to conduct a card-not-present transaction. Thus, it can be said that this
method is fragile from the fraudulently use of credit cards by person other than the
cardholder.
What do the three regulatory frameworks say with regards to card-not-present

transaction? From elaborating on those frameworks in previous chapter we can conclude that
none of those laws has an explicitly specific provision concerning the protection of cardholder
in the card-not-present transaction. The previous legislation applied in the EU251 had actually
stated that the cardholder could not be held liable for card-not-present transaction.252
However, this provision has been purged in the current legislation. By omitting this provision,
no single regulatory framework protects the consumer in the card-not-present transaction.
Thus, the regular provision on liability allocation should be applied in this case.
Facing these inequities of the public laws, the credit card principals have set forth an
initiative to put more protection for the cardholder. They put specific provisions in the private
network rules to prohibit the issuer or any other parties to hold the cardholder liable for losses
resulting from fraudulent use of credit card information in the card-not-present transactions.
In this case, the losses from the fraudulent use should be on the burden of the issuer.
In line with the development of the credit card payment method, the complexity of
credit card frauds has also increased. When the payment conducted in the traditional way, the
fraudsters only employ a conventional way to obtain the credit cards such as pick pocketing,
250
In the past, merchants have to call the issuer to request a validation of this information in particular when the
merchants across a suspicious transaction. However, since several years ago, the major issuers have stopped
taking online merchant’s phone calls regarding validation request for suspicious transactions. For details, see
Litan A., Supra note 247, p. 1.
251
See section 3.2.5 for the detail elaboration on the previous legislation applied in the EU before the PSD.
252
See Id.
71 | P a g e
dumpster diving, or finding lost cards. Nowadays, when the credit cards can be used to
perform MOTO and become the most preferred payment instrument in online transactions
over the Internet, the fraudsters also employ hi-tech technologies to obtain information
needed to perform transaction, for instance phishing, cybersquatting or hacking.253
From the three regulation frameworks chosen, none of the regulations adopts or keeps
updated with the rapid improvements in credit card fraud. They are apparently set forth based
on the ‘old-fashioned’ transaction methods. Since the amendment of the TILA was enacted in
1970, it is easy to understand that the US laws rule in this favor. Although the Australian EFTCC
is relatively current in the enactment254 and includes the development of technology by
considering transaction using access methods, it has no specific provisions mentioning liability
for losses resulting from fraudulent use of credit cards in those advance ways. The last
regulatory framework, which is the PSD in the EU, has no difference. The directive, that even
has not taken in effect recently, is set forth in the environment of face-to-face transactions
and is close-minded to only absorb losses resulting from ‘traditional’ frauds such as card lost or
stolen. The only provision protecting cardholders from hi-tech frauds conducted by the
fraudsters in MOTO or online transactions was the EFT Recommendation. Yet, the provision
has been omitted in the current legislation.
4.2 Implementation of the Laws: Burden of Proof in Fact
Issues on the burden of proof will be addressed in a three step analysis. First, we will
summarize whether each law in three different legal frameworks mention about the obligation
of burden of proof. Second, we will then analyze the burden of proof in fact by elaborating
how the laws have been implemented. Finally, we will show that the cardholder in this respect
is placed in the weak position.
253
See section 2.2 for detail elaboration on credit card frauds.
254
It was first issued on 1 April 2001 and amended twice, on 18 March 2002 and 1 November 2008.
72 | P a g e
The three regulatory frameworks vary in defining who should be burdened to prove
whether a transaction is authorized. Although the court decisions in the US has determined
that the burden of proof is on the issuer, the US statutes do not explicitly mention the burden
of proof.255 On the other hand, the EU laws and the Australian EFTCC have a specific provision
on the burden of proof. They have similarities in regulating on this issue. Identical to the court
decisions in the US, the laws define that the burden to prove whether a transaction is
authorized is on the issuer. Furthermore, these two laws also prohibit the issuer to rely solely
to the success use of payment instrument for the evidence. The evidence that is merely based
on the fact that the transaction has been successfully made and recorded by the issuer is not
necessarily sufficient to prove that the transaction has been authorized by the cardholder.256
Similar with elaboration on the burden of proof for the EU regime,257 it is doubtful that
the implementation of the rule will be as smooth as its text. The difficulties borne by the
cardholder are rooted from the fact that the only proof held by the cardholder is a piece of
transaction slip, while the issuer has a full power and authority to control the transaction
systems. Thus, although the problems of the burden of proof have been known for many
years, it has not solved yet and is not easy to be solved.258 The Dutch Consumer Association’s
research and a case settled in the “Geschillencommissie Bankzaken” also support this
situation.259
As has been described previously on the evaluation of the EU laws, problems on the
burden of proof are complex and cannot be solved merely by shifting the burden of proof from
one party into another. It is prerequisite that each regulatory framework provides the detail
regulations on the burden of proof to avoid obstacles in the implementation of the laws.
255
See section 3.1.
256
See article 59 of the PSD and Part A, Section 5, Sub section E, Paragraph 5.5(c) (the third sentence) of the
EFTCC.
257
See section 3.2.7, pointer 3.
258
See Schudelaro, A.A.P., Ir., Supra note 209, p. 106-107.
259
See section 3.2.7, pointer 3, supra note 208 and 209 for detail elaboration on this cases.
73 | P a g e
4.3 Third Party Liability
In this section, we will discuss liability allocations which are not regulated by any provisions in
statuses applied either in the US, EU, or Australia. These arrangements are agreed by some
parties involved in the credit card scheme and endorsed by the credit card private network
rules. Two important issues on these liability allocation agreements are shifting liability from
the issuer to the acquirer and merchant’s liability.
Figure 9 Model of Liability Shifting among Parties Involved in Credit Card Mainstream260
4.3.1 Shifting Liability from Issuer to Acquirer
Every issuer in the credit card payments is a profit-oriented financial institution. In most cases,
the issuer is one which must bear the responsibility of the losses resulting from fraudulent use
of credit cards. As a profit-oriented entity, the financial institution will seek to charge back its
responsibility of losses to the other parties. The issuer charges the costs back to the consumer
in higher fees of credit card payment schemes such as annual fees, administrative costs, and
260
With some modifications, this model is made based on Textbook and Reality Models of Use of Contracts to
further Allocate Fraud Liability, presentation material of Douglass, Duncan, Payments Fraud: Perception vs.
Reality, presented in 2008 Payments Conference, Federal Reserve Bank of Chicago, 2008.
74 | P a g e
surcharges.261 As long as not illegal, the issuer attempts to shift those costs to another party.
This shifting is also often endorsed by the principal in the private network rules. In case of the
use of advance technology for instance, the issuer attempts and is allowed to shift the losses
to the acquirer. In this case, two conditions must be fulfilled: first, the credit card transactions
must involve four parties: the issuer, the acquirer, the cardholder, and the merchant, and
second, the acquirer involved in this scheme must be another financial institution, not the
same party with the issuer.262
Liability shifting from the issuer to the acquirer occurs for instance when the advance
technology is employed to secure the transaction processes. Since 2005, the private network
rules as Visa and MasterCard have introduced the liability shifting concerning the use of chip-
based card to replace the magnetic stripe based.263 Nowadays, chip-based cards are believed
to be the most secure cards system to use, since they contain advanced technology to protect
the data stored inside, while the magnetic stripe based is vulnerable media from frauds.264 The
experience shows that the use of chip-based cards can purge fraud. Malaysia for instance has
migrated from magnetic stripe-based credit cards into chip-based credit cards, and the fraud in
261
Although prohibited by the private network rules, a certain country such as Australia allows issuer or merchant
to add surcharge in a credit card payment. See for instance Wardrop, Ann, Payments System reform in
Australia: Central Bank Regulation of Credit and Debit Card Interchange Fees, Access Regimes and Card
Association Rules, Journal of International Banking Law and Regulation, 2006.
262
See section 2.1 for elaboration on parties involved in a credit card transaction.
263
For the schedule of the implementation of the liability shifting in relation with the implementation of
European MasterCard Visa (EMV) --chip-based payment cards-- migration worldwide, see Visa International
Operating Regulations, available at
https://partnernetwork.visa.com/vpn/global/retrieve_document.do?documentRetrievalId=32, last visited on
8 August 2009.
264
Chip-based cards have been claimed as the most secure cards nowadays because they use cryptographic
techniques with appropriate, well-trusted algorithms, appropriate security levels, and appropriate supporting
infrastructures. For insight discussion on this issue, see Robshaw, M., Dr., The Security of Chip Cards,
Information Security Group, Royal Holloway University of London, 2003, available at
http://ec.europa.eu/internal_market/payments/docs/fraud/2003-conference/robshaw-9-03_en.pdf, last
visited on 8 August 2009.
75 | P a g e
that country has been reduced by 87 percent in period of January to March 2005 compared to
year 2000.265
Liability shifting clauses introduced by Visa and MasterCard state that the liability for
losses resulting fraudulent use of credit cards will be shifted from the issuer to the acquirer if
the issuer has employed chip-based technology for its credit cards, yet the acquirer has not
upgraded its EDCs to perform transactions. Although reducing the fraud losses, migration from
the magnetic stripes into chip-based is costly and needs a huge investment of money, either
for replacement of the card or upgrading technology for the EDC. Therefore, not all of credit
card issuer or acquirer is willing to migrate immediately, or at least needs enough time in
doing so. That is why the principals of the credit cards issues these liability shifting provisions
to encourage the migration as soon as possible to reduce the fraud losses and therefore hold
the party that has not migrated responsible for the losses.266
This liability shifting arrangement is agreed multilaterally between the parties in the
credit card scheme and endorsed by private network rules. No single regulatory framework in
the US, EU or Australia states about this shifting of liability. Thus, any disputes arise regarding
to the liability for fraud losses will be settled using those agreements and using dispute
resolutions in the private network rules.
265 th
See Joo, Lee Khee, The Migration to EMV Credit Cards –Some Value-Added Benefits, in IBBM 10 Treasure
Hunt 2005, 11 December 2005, p. 7, available at http://www.ibbm.org.my/pdf/IBBM%20Jan-Feb06.pdf, last
visited on 8 August 2009.
266
The credit cards principal’s regulation is confidential and not published to the public. It can be used among the
credit card parties only. However, we can easily find the willingness of the credit card principals such as Visa
or MasterCard to migrate the credit card infrastructures from magnetic stripe-based into chip-based
technology and therefore implementing liability shifting to enforce that migration program. See for instance
https://partnernetwork.visa.com/vpn/global/retrieve_document.do?documentRetrievalId=32 for Visa’s
worldwide schedule on the implementation of liability shift and
https://mol.mastercard.net/mol/molbe/public/login/ebusiness/smart_cards/one_smart_card/chip_migration
_strategy/liability_shift.jsp for MasterCard’s schedule. These two websites were last visited on 10 August
2009.
76 | P a g e
4.3.2 Merchant’s Liability
Not only charging the cost back to the consumer or shifting the liability to the acquirer, in
practice, the issuer also attempts to shift the liability for fraud losses to the merchants. Once
again, this arrangement is agreed by the issuer, acquirer and merchant, and it has been
approved by the private network rules. There are two conditions available for the issuer to
shift the liability to the merchants. First, the liability shifting can be applied for all card-not-
present transactions, a method of transactions in which the liability is not regulated by the US,
the EU or the Australian regulatory frameworks.267 In this case, the online merchants will be
held liable for losses resulting from frauds in online transactions.268 Second, it can be applied
for face-to-face transactions but only when the certain conditions met. These conditions are
defined in the merchant’s agreement and endorsed in the private card network rules under
the clause of “charge back”. In this clause, the issuer269 holds a right to charge the credit card
payment back to the merchants if they breach the agreement or do not follow the private card
network rules defined by the principal. The merchant’s obligations defined in the private card
network rules relating to the losses are for instance the merchants must take reasonable steps
to secure the credit card transactions in their place and reporting the suspicious transactions
to the issuer. The merchants are also prohibited from committing any fraud related to
transactions using their EDC, including performing fake transactions or swiping fake credit
cards on that EDC. If the issuer or the principal found that the merchants did not obey the
rules or committed to the frauds, the issuer will charge the payment back to them and annul
the transactions, with or without permission from the merchants.
267
Only the EFT Recommendation applied in the EU previously ruled this issue. However, it has been omitted in
the current regulation. See section 3.2.7 and section 4.1 for elaboration on this issue.
268
Litan A., Supra note 250, p. 1-2.
269
In the four-party credit card scheme, the party which holds the right to charge the merchant backs is the
acquirer.
77 | P a g e
4.4 Minimize the Fraud Losses, The Supposed Goal

Objectives of the regulatory frameworks on liability should be to minimize the fraud losses to
the system as a whole. In fact, the laws, accompanied by the private network rules, fail to
promote efficient fraud avoidance. The default liability set forth by the laws and the private
network rules, in a shorthand way, is: (1) the cardholder is only held liable for the losses if she
has contributed on the frauds, or she has acted gross negligence in case of the EU laws, or
extreme carelessness in case of Australian laws; (2) issuer is typically responsible for losses in
face-to-face transactions; and (3) merchants generally bear liability for losses in card-not-
present transactions.270 The questions arise with regard to this default liability, whether these
rules result in efficient outcomes and whether the parties involved in the credit card scheme
vested with sufficient incentives to trigger each of those parties takes reasonable steps in
minimizing fraud losses from the point of view of credit card payment system as a whole.271
Empirical evaluation suggests that recent public laws and private networks rules fail to
provide appropriate incentives for parties involved in a credit card scheme: the cardholder, the
issuer and the merchant.272 The backgrounds of the failure to encourage the parties in
avoiding fraud behavior are associated costs, involved efforts and limited benefits for each
party. The cardholder is often careless in keeping the card and its PIN safe and sometime fails
to protect her personal information. These behaviors undoubtedly contribute to fraud. A study
in 2006 conducted by Strategic Counsel in Canada, for instance, showed 60% of the people in
Canada did not shield their PIN entry at the ATM or EDC if they believe that there is no one
watching them and 37% do the same although they believe that someone can see them
entering the PIN.273 On the other hand, the issuer discourages to put effort in preventing fraud
270
None of the regulation frameworks states this provisions. It is only stated in the merchant agreement which is
agreed by the acquirer and the merchant, and endorsed by principal in the private card network rules.
271
See Douglass, Duncan B., Supra note 249, p. 46.
272
See Douglass, Duncan B., Id, p. 47.
273
Glenbrook Partners LLC, Survey shows Canadians not shielding their debit card PIN Regularly, Payments News,
19 October 2006, available at http://www.paymsentsnews.com/2006/10/survey_shows_ca.html, last visited
on 20 July 2009. See also See Douglass, Duncan B., Id.
78 | P a g e
losses in case of card-not-present transactions for following reasons. First, the liability
allocation laws rule in the issuer’s favor and holds merchant liable for any losses in this method
of transactions. Furthermore, preventing fraud in card-not-present involves too much effort
and resource allocations, in particular in helping the online retailers to set securities on the
online systems, 274 yet it provides less benefits for the issuer. Although some of the issuers are
marked as being consistently helpful to the online merchants in fighting fraud, 275 the rest
seems not triggered to do so.
The merchants’ problem to prevent fraud is not less precarious. They have the least
interest in preventing fraud in case of card-present or face-to-face transactions. First, they
found difficulties in preventing frauds in this kind of transactions since the only things they can
do is scrutinize the validity of the card presented by the card bearer and matching the
signature on the slip of transaction with the signature embedded on the back page of the
credit card. In most cases of credit card frauds, e.g. skimming, the fraudster steals the credit
card information from a legal credit card and stores the information back to a blank card. 276 He
will then emboss the blank card with his own identity and put his own signature. How can the
merchant distinguish that the card bearer in this case is a fraudster if the card is valid and the
transaction is successfully made? In the big retailer such as franchised supermarket or
department store, this case is even worst since the transactions must be done quickly and the
only person validate the card is a cashier or a teller with a little knowledge on the payment
instrument. Second, the merchants earn almost no benefits in preventing the fraud losses in
face-to-face transactions. In this method of transaction, all the frauds losses will be borne by
the issuer. Thus, there is no incentive for the merchants to put that much effort in preventing
frauds without any real benefits for them.
274
Litan, A., Supra note 268.
275
For instance Bank of America, Citibank, American Express, Diners Club, Navy Federal and Pentagon Federal.
See Id.
276
See section 2.2 to have a better understanding on how the fraudster performs their frauds.
79 | P a g e
In brief, we can concluded that the recent public laws and private card network rules has
failed to provide appropriate incentives for parties involved in a credit card scheme: (1) the
cardholder to be more care and responsible to keep the card and PIN safe, (2) the issuer to put
more effort in helping online retailers to fight the frauds in card-not-present transactions, and
(3) the merchants to prevent frauds in face-to-face transactions. The laws on liability supposed
to put more focus on these issues, to minimize the fraud losses to the credit card system as a
whole.
80 | P a g e
Chapter 5
Concluding Remarks
This chapter comprises conclusions and recommendations. The conclusions are to answer the
first two-research-questions [1. How do different legal jurisdictions rule on the liability for
unauthorized transaction in case of carding? and 2. Do the laws on liability in case of carding in
those different countries regulate the position of consumer in an adequate manner?], while the
recommendations are to answer the third research question [3. How to improve such rules?].
5.1 Conclusions
From the three regulatory frameworks, the US laws present the most comprehensive
legislations in determining liability for losses resulting from the fraudulent use of credit cards
especially in cases of carding. They not only have the TILA which specifically rules on the
liability allocation for losses resulting from the fraudulent use of credit cards but also
accompanied by supporting legislations such as the CCFA, the FCRA, the FCBA, the FACTA, and
Identity Theft Acts which are important in defining the scope of authorized and unauthorized
transactions, ruling on the fraud including carding and identity theft, and regulating on how
the victims of the fraud seek remedies for their loss. On the other hands, laws on the liability
for losses resulting from the fraudulent use of credit cards in the EU and Australia are less
comprehensive than those in the US. The EU laws do not put the liability allocation for losses
resulting from the fraudulent use of credit cards in a specific regulation on credit cards but are
embedded in a payment system directive that applies also for the other types of funds transfer
activities such as debit cards, credit transfers or debit transfers, while the Australian laws
provide a short yet detailed provision on the liability for losses resulting from the unauthorized
use of credit cards. The Australian EFTCC has included provisions on the detailed obligations
for the credit card parties to secure the card and the PIN and attempts to hold the party which
ignores those obligations liable. These detailed provisions cannot be found implicitly in the US
or in the EU statutes, although they can be found in the court’s decisions in the US and the EU.
With regard to the liability allocation provisions for losses resulting from the fraudulent
use of credit cards, each regulatory framework has its own characteristic and similarities. The
US laws govern a very limited liability for the cardholders. In these frameworks, the cardholder
has no liability for all transactions occurring after she has notified the issuer of the lost, stolen,
or fraudulent use of credit cards. For the transaction occurring prior to the notification, the
cardholder’s liability is limited maximum of USD 50. On the other hands, the EU laws have
been one-step a head in fairly distributing the losses. They have anticipated the loophole
found in the US regulatory framework by inserting specific provisions to hold consumers who
have acted with gross negligence liable. The EU laws protect sound and salient cardholders by
not holding them liable for all losses resulting from unauthorized transactions taking place
after the notifications and by limiting their liability up to maximum EUR 150 for losses resulting
from unauthorized transactions before the notification. However, once cardholders act gross
negligence, they will be liable for all losses, not only those which occurred before and after
notification but also without any limitation of EUR 150. The last regulatory framework, the
Australian EFTCC, does not much differ with those in the US or the EU laws. It defines that the
cardholder is not liable for losses occurring after she has notified the issuer that her credit card
has been misused, lost, or stolen, or that security of the codes forming part of the access
method has been breached. However, the Australian laws have considered the rapid
development of technology by providing specific regulations for access methods such as PIN
which also sets circumstances for the liability. For PIN-based transactions, the cardholder has a
limited liability for maximum of AUD150, pre-arrange credit, or actual losses at the time of
notification.
However, each of regulatory frameworks has its own pitfall. The US laws overlooked to
put time limitation of the notification and therefore they give almost the same level of
protection between the sound, salient cardholders and those who have acted negligently,
82 | P a g e
delaying or at the worst not doing notification of any frauds to the issuer. The losses caused by
these negligent cardholders will then be absorbed by the issuer in which, at the end, will seek
to shift the cost back to the whole credit card consumers through higher charges. Using
distributive grounds as theory, this rule is inequitable for other sub classes of consumers such
as the elderly and the poor, and using utilitarian point of view, this regulation is not desirable
since it emphasizes merely on the interest of few people by immunizing negligence and
ignoring the interest of society as a whole. On the other hands, the EU laws have four main
drawbacks. The first drawback is that they do not define what gross negligence means and
what behavior constitutes gross negligence. The laws leave it to the judge to determine
whether a certain cardholder behavior constitutes gross negligence. This obscurity will create
severe problems and diversity on the implementation of the laws. This can also lead to the
second drawback: the application of a presumption of gross negligence in the member states.
This presumption is inequitable for the consumer since it justifies that a cardholder has acted
negligent merely seeing the fact that her credit card is successfully used by a third person. The
third pitfall of the EU laws is regarding the burden of proof in fact. The PSD states that the
burden of proof, whether a transaction is authorized or whether a gross negligence presents,
is on the issuer. However, the implementation of the laws said in contrast. Finally, the last
drawback of the EU laws is that they have omitted provisions to disclaim cardholder’s
responsibility for card-not-present transactions as have been stated in the earlier legislation.
Card-not-present transaction is a payment method using not only less security but also
vulnerable from frauds. Purging consumer protection provisions for this less secured method
will put cardholder in fragile position from frauds, reducing transaction’s speed as well as
consumer’s convenience. The objection of the Australian Laws is with regard to the limitation
of the cardholders’ liability. That limitation has been set forth merely for PIN-based
transactions and comprises not only maximum amount of AUD150 but also pre-arrange credit
and actual losses. Those provisions have given rise two objection from consumer’s point of
view. First, the PIN-based limitations are useless since the credit card payments use signature-
based for point-of-sale transactions and require PIN for cash withdrawal transactions in the
83 | P a g e
ATM machines only. Second, the scope of the limitations has been set forth too wide, not only
to include maximum amount of AUD150 but also pre-arrange credit and actual losses. It will be
very obvious that at the end the cardholders will be liable for all losses.
Relating to the adequacy of the regulatory frameworks on the liability allocations, it

seems that each regulatory framework has tried to set forth the optimal liability provisions
from the perspective of the consumer. However, it is apparently that some efforts have failed
to cope up with some issues. First, the existing laws find difficulties in dealing with the rapid
improvement of the payment methods and fraud, in particular since the use of telephone,
mail, and the Internet to conduct the transactions in a distance. The second problem is with
regard to the burden of proof when a dispute rises between the issuer and the cardholder. It
seems that whatever the conditions, the cardholders will always face difficulties in defending
herself since the only evidence she has is a slip of transaction. In the EU, this condition has also
led to the implementation of a presumption of gross negligence. Third, the lack of the existing
laws has led the private rule networks to shift the liability to another party or to the third
party. In certain conditions, they have arranged a new liability allocation by shifting the liability
from the issuer to the acquirer and from the acquirer to the merchant. Finally, the main
objective of the laws supposed to be “minimize the fraud losses” and the existing laws had
failed to promote efficient fraud avoidance.
5.2 Recommendations
The fact that the parties involved in the credit card scheme have set forth a new
arrangement in shifting liability shows that the liability allocations defined in the three
regulatory frameworks are not adequate. To achieve a more comprehensive rule on
the liability allocations for losses resulting from the fraudulent use of credit cards, it will
be desirable if each regulatory framework consider those that have been defined and
used by the market and therefore adopt them into the formal regulations. It will
strengthen the position of each party and makes the provisions more enforceable.
84 | P a g e
Furthermore, each regulatory framework should learn one another. The US regulatory
framework for instance should purge the provisions that immunize the negligent
cardholders alike the EU and Australian laws consider gross negligence. The last two
regulatory frameworks should also do vice versa. The EU laws for instance should avoid
the obscurity in their provisions, for instance by defining the scope of gross negligence
and by determining what behaviors constitute gross negligence, while the Australian
laws should set forth more strict and narrow provisions in limiting the liability of the
cardholders.
Finally, the laws on the liability allocations supposed to put more focus on the issue of
minimizing the fraud losses to the credit card system as a whole by providing
appropriate incentives for parties involved in the credit card scheme.
85 | P a g e
Attachments
Attachment 1 Notification from Rabobank’s management concerning blocking of author’s card
that has been skimmed
86 | P a g e
Attachment 2 A copy of skimmed card
87 | P a g e
Attachment 3 Correspondence between the author and Rabobank’s management concerning

request to have a short discussion on skimmed card and its rejection
88 | P a g e
Attachment 4 Top ten countries in the world where the victims of identity theft live
Data of 1 January-31 December 2008
(Source: Internet Crime Complaint Center's as in Internet Fraud, Scam and Crime Statistics-
2009, available at http://www.consumerfraudreporting.org/internet_scam_statistics.htm, last
visited on 12 July 2009).
89 | P a g e
Attachment 5 Two Examples of Phishing
Source: http://surfthenetsafely.com/phishing.htm, last visited on 5 August 2009.
90 | P a g e
Bibliography
Legislations
1. Australia:
- Australian Electronic Funds Transfer Code of Conduct (EFTCC).
2. EU:
- Directive 2007/64/EC of 13 November 2007 on Payment Services in the Internal
Market (PSD); and
- European Commission Recommendation of 30 July 1997 Concerning Transactions by
Electronic Payment Instruments and in Particular the Relationship between Issuer and
Holder (97/489/EC).
3. The US:
- The 1970 Amendment of Truth in Lending Act (TILA);
- Credit Card Frauds Act (CCFA);
- Fair and Accurate Credit Transactions Act (FACTA);
- Fair Credit Billing Act (FCBA);
- Fair Credit Report Act (FCRA);
- Identity Theft Assumption and Deterrence Act; and
- Identity Theft Penalty Enhancement Act.
Cases in Payment Frauds and Liability:
4. The US
- American Airlines v. Remis Industries, 494 F.2d 196, 201 (2d Cir. 1974);
- American National Bank v. Rathburn, 264 S.2d 360 (La. App. 1972);
- Andrews v. TRW;
91 | P a g e
- Beard v. Goodyear Tire & Rubber Co., 587 A.2d 195 (D.C. App. 1991);
- Cities Services v. Pailet, 452 So.2d 319 (La. App. 4th Cir. 1991); and
- First National Bank Mobile v. Roddenberry, 701 F.2d 927 (11th Cir. 1983);
- First National City Bank v. Mullarkey, 385 N.Y.S. 2d 473, 87 Misc.2d 1 (N.Y. Cir. Ct.
1976);
- Fifth Third Bank/Visa v. Gilbert, 478 N.E.2d 1324 (Ohio App. 1984);
- Gulf. Ref. Co v. Williams Roofing Co., 208 Ark. 362, 186 S.W.2d 790 (1945);
- Gulf Ref. Co. v. Plotnick, 24 Pa. D. & C. 147 (1935);
- Humble Oil & Ref. Co v. Waters, 159 So.2d 408 (1963);
- Michigan National Bank v. Olsen, 723 P.2d 438 (Wash. App. 1986);
- Sears, Roebuck & Co. v. Duke, 441.S.W.2d 521 (1969);
- TransAmerica Insurance Co. v. Standard Oil Co., 325 N.W.2d 210 (N.D. 1982);
- Uni Serv Corp. v. Vitiello;
- Union Oil Co. v. Lull;
- US v. Jacobowitz;
- Wanamaker v. Megary, 24 Pa.D. 778 (1915); and
- Walker Bank & Trust Co. v. Jones.
5. The EU
- AG Kassel 16 November 1993, W.M. 1994, 2110;
- Brussels 27 May 2002, NjW 2003, 311, T.B.H. 2004, 158;
- Brussels 4 October 2005, Bank Fin.R. 2006, 148;
- GCB 24 September 1994, T.V.C. 1995, 183;
- LG Halle 27 October 2000, W.M. 2001, 1298;
- Lyon 26 June 1996, R.D. bancaire et bourse 1997, 164; and
- Vred. Brussels 7 July 2006, Bank Fin.R. 2007, 134.
92 | P a g e
Books, Journals and Websites
6. AlMahroos, Rasha, Phishing for the Answer: Recent Developments in Combating Phishing,
I/S: A Journal of Law and Policy for the Information Society, Winter 2007-2008.
7. Amir-Mokri, Cyrus, Credit Card and Payment Card Developments, Corporate Law and
Practice Course Handbook Series, 13th Annual Consumer Financial Services Litigation
Institute, Practising Law Institute, 2008.
8. Are you a target for identity theft?, Consumer Reports; Sep 1997; 62, 9; ABI/INFORM
Global, pg. 10.
9. Association for Payment Clearing Services, A Vulnerability and Threat Assessment of

Authentication Mechanisms for Internet Based Financial Services: 2006 Review, London,
2006.
10. Balboni, Paulo, Trustmarks: Third-party Liability of Trustmarks Organisations in Europe,

Tilburg, 2008.
11. Bank Confirms Credit Card Fraud from Bottle Domains Hack, available at
http://www.ecommercereport.com.au/story83.php, last visited on 17 July 2009.
12. Bar-Gill, Seduction by Plastic, Northwestern University School of Law, Northwestern,

2004.
13. Bennett, Adam, Cops Bust $6m Fake Credit Card Ring, Australian IT News, 2 July 2009,
available at http://www.australianit.news.com.au/story/0,,25722491-5013044,00.html,
last visited on 17 July 2009.
93 | P a g e
14. Bielski, Lauren, Eight Tech innovations that took banking into the 21st Century, American
Bankers Association, ABA Banking Journal, Nov 2008, 100, 11; ABI/INFORM Global, pg.
86.
15. Calligeros, Marissa, Bank Delays Exposing Aussies to Credit Card Fraud, 7 July 2009,
available at http://www.brisbanetimes.com.au/queensland/bank-delays-exposing-
aussies-to-credit-card-fraud-20090707-dbah.html, last visited on 17 July 2009.
16. Campbell, Andrew, Credit Cards and Section 75: Time for a Change in the Law, Journal of
International Banking Law, 1996.
17. Chaikin, David, Network Investigations of Cyber Attacks: The Limits of Digital Evidence,
Crime Law Soc Change (2006) 46:239-256, 15 March 2007.
18. Cheney, Julia S., Identity Theft: Do Definitions Still Matter?, Discussion Paper, Payment
Card Center, Federal Reserve Bank of Philadelphia, August 2005.
19. Choo, Kim-Kwan Raymond, Smith G., and McCusker, Future Directions in Technology-
Enabled Crime: 2007-2009, Research and Public Policy Series, No. 78, Australia Institute
of Criminology, p. 35.
20. Clark, Ken, In the War on Fraud, Chain Store Age, Nov 2000; 76, 11; ABI/INFORM Global,
pg. 116.
21. Clark, Stephen C., Walker Bank & Trust Co. v. Jones: New Meaning for the Phrase “Don’t
Leave Home without It”, Utah Law Review, 1984.
94 | P a g e
22. Cradduck, Lucy and Mccullagh, Adrian, Identifying the Identity Thief: Is it time for a
(smart) Australia Card?, International Journal of Law and Information Technology Vol. 16
No. 2 © Oxford University Press 2007, Published on 28 September 2007.
23. Credit Cards: Distributing Fraud Loss, Notes and Comments, Yale Law Journal, June 1968.
24. Douglass, Duncan, Payment Frauds: Perception vs. Reality, Presentation Material
Presented in 2008 Payments Conference, Federal Reserve Bank of Chicago, 2008.
25. Douglass, Duncan B., An Examination of the Fraud Liability Shift in Consumer Card-based
Payment Systems, Federal Reserve Bank of Chicago, available at
http://www.chicagofed.org/publications/economicperspectives/ep_1qtr2009_part7_do
uglass.pdf, last visited on 3 August 2009.
26. Drury, Tony, and Ferrier W. Charles, Credit Cards, Butterworths, London, 1984.
27. Drug Enforcement Administration, Federal Bureau of Investigation and Royal Canadian
Mounted Police, 2006 Canada/US Organized Crime Threat Assessment, 2006, available at
http://www.psepc.gc.ca/prg/le/_fl/2006_Canada-US_OC-TA_en.pdf, last visited on 3
August 2009.
28. Ellinger, E.P., Lomnicka, E., and Hooley, R.J.A., Ellinger’s Modern Banking Law, Fourth
Edition, Oxford University Press, New York, 2006.
29. Europol, Organized Crime Threat Assessment 2006, available at

http://www.europol.europa.eu/publications/OCTA/OCTA2006.pdf, last visited on 3
August 2009.
95 | P a g e
30. Evans, David S., and Schmalensee, Richard, Paying with Plastic: the Digital Revolution in
Buying and Borrowing, Second Edition, the MIT Press, Cambridge, Massachusetts, 2005.
31. Explanation of Federal Reserve Board of the US

(http://federalreserve.gov/pubs/consumerhdbk/electronic.htm), last visited on 3 August
2009.
32. Federal Trade Commission, Consumer Fraud and Identity Theft Complaint Data: January–
December 2007, Report, Washington, DC, February 2008, available at
http://ftc.gov/opa/2008/02/fraud.pdf, last visited on 3 August 2009.
33. Financial Action Task Force, Report on New Payment Methods, 2006, available at
http://www.fatf-gafi.org/dataoecd/30/47/37627240.pdf, last visited on 3 August 2009.
34. Five Alleged Credit Card Fraudsters Face Court, available at

http://www.australianit.news.com.au/story/0,,25722967-5013044,00.html, last visited
on 17 July 2009.
35. Foltz, Joan E., Global Crime Case: Cybercrime and Counterfeiting, The Futurist,
November-December 2008, available at www.wfs.org, last visited on 3 August 2009.
36. Fonté, Erin, Who should pay the price for identity theft?, Federal Lawyer, September
2007.
37. Franklin, Robert T., "But I didn't do it!": Expanding Theories of Vicarious Liability, FDCC
Quarterly, 58, 4, ABI/INFORM Global, Summer 2008, pg. 435.
96 | P a g e
38. Gainer, Randy, Allocating The Risk of Loss for Bank Card Fraud on the Internet, John
Marshall Journal of Computer and Information Law, Fall 1996.
39. Garner, Bryan A., Black’s Law Dictionary, 7th ed., Eagan, MN: West Publishing Company,
1999.
40. Geva, Benjamin, Bank Collections and Payment Transactions, Oxford University Press,
New York, 2001.
41. Gillette, Clayton P., Rules, Standard, and Precautions in Payment Systems, Virginia Law
Review, March, 1996.
42. Gillette, Clayton P., and Walt, Steven D., Uniformity and Diversity in Payment Systems,
Chicago-Kent Law Review, 2008.
43. Glenbrook Partners LLC, Survey Shows Canadians Not Shielding Their Debit Card PIN
Regularly, Payments News, 19 October 2006, available at
http://www.paymsentsnews.com/2006/10/survey_shows_ca.html, last visited on 20 July
2009.
44. Goldstein, Adam, Why “It Pays” to “Leave Home without It”: Examining the Legal
Culpability of Credit Card Issuer under Tort Principles of Product Liability, University of
Illinois Law Review, 2006.
45. Griffiths, Ivor, and Griffiths, Margaret, Joint Liability under the Consumer Credit Act 1974,
International Banking and Financial Law, 1995.
97 | P a g e
46. Hisey, Pete, At War over Merchant Risk, Credit Card Management; Jul 2000; 13, 4;
ABI/INFORM Global, pg. 59.
47. Hoffman, Michael J R, McKenzie, Karen S., and Paris, Susan, Paper or Plastic?, The CPA
Journal, Sep 2008, 78, 9, ABI/INFORM Global, pg. 16.
48. Hostetter, Major, Credit Card Liability: But I Told Him (Her) Not to Charge That Much!,
Army Lawyer, October, 1991.
49. Iossa, Elisabetta and Palumboy, Giuliana, Product Quality, Lender Liability, and Consumer
Credit, Oxford Economic Papers 56 (2004), 331–343 331, Oxford University Press 2004.
50. Jasper, Margaret C., Credit Cards and the Law, American Bankruptcy Institute Journal;
Dec 2008/Jan 2009; 27, 10; ABI/INFORM Global, pg. 40.
51. Jeffrey, Nancy Ann, Your Money Matters: Rules for Credit-Card Misuse Questioned, Wall
Street Journal (Eastern edition), New York, Feb 14, 1996, pg. C1.
52. Joo, Lee Khee, The Migration to EMV Credit Cards –Some Value-Added Benefits, in IBBM
10th Treasure Hunt 2005, 11 December 2005, p. 7, available at
http://www.ibbm.org.my/pdf/IBBM%20Jan-Feb06.pdf, last visited on 8 August 2009.
53. Jones, A. Sally, The Law Relating to Credit Cards, BSP Professional Books, London, 1989.
54. Katyal, Neal Kumar, Criminal Law in Cyberspace, University of Pennsylvania Law Review,
Vol. 149: 1003, 2000-20001, p. 1101: Credit Card Company.
98 | P a g e
55. Kruk, Theresa L., J.D., What Constitutes Violation of 18 U.S.C.A. § 1029, Prohibiting Fraud
or Related Activity in Connection with Credit Card or other Credit Access Device, American
Law Reports ALR Federal, The ALR databases are made current by the weekly addition of
relevant new cases, Thomson Reuters/West, 2009.
56. Larsen, Sonja, J.D., Unauthorized or Counterfeit Use of Credit Cards and Cellular
Telephones, Corpus Juris Secundum, Database updated June 2008.
57. Lee, Margaret Mikyung, Fair Credit Reporting Act: Rights and Responsibilities, CRS Report
for Congress, Congressional Research Service, The Library of Congress, 4 May 2007.
58. Lenard, Thomas M. and Paul, Rubin H., An Economic Analysis of Notification
Requirements for Data Security Breaches, Progress on Point, Periodic Commentaries on
the Policy Debate Release 12.12 July 2005.
59. Lieber, Ron, When Visa Thinks You're a Thief --- Bid to Cut Credit-Card Fraud Snares
Legitimate Shoppers, racking the `Insult Rate', Wall Street Journal (Eastern edition), New
York, Apr 24, 2003. pg. D.1.
60. Litan A., Credit Card Companies Provide Little Relief for Online Fraud, Research Note,
Gartner, 31 December 2002.
61. Littwin, Angela, Beyond Usury: A Study of Credit Card Use and Preference among Low-
Income Consumers, Texas Law Review, February 2008.
62. Mann, Ronald J., Charging Ahead: The Growth and Regulation of Payment Card Markets,
Cambridge University Press, New York, 2006.
99 | P a g e
63. Mannn, Ronald J., Credit Cards and Debit Cards in the United States and Japan,
Vanderbilt Law Review, Volume 55, No. 4, May 2002.
64. Mannix, Margaret , High-tech Card Fraud Goes on Right behind Your Back, U.S. News &
World Report. Washington: Feb 14, 2000. Vol. 128, Iss. 6.
65. Mansfield, Phylis M, and Pinto, Mary Beth, Consumer Vulnerability and Credit Card
Knowledge Among Developmentally Disable Consumers, The Journal of Consumer Affairs;
Fall 2008; 42, 3; ABI/INFORM Global, pg. 425.
66. Masters, Adrian and Rodrı´guez-Reyesy, Luis Rau, Endogenous credit-card acceptance in
a model of precautionary demand for money, Oxford Economic Papers 57, Oxford
University Press, 2004.
67. Mativat, Francois and Tremblay, Pierre, Counterfeiting Credit Cards: Displacement
Effects, Suitable Offenders and Crime Wave Pattern, The British Journal of Criminology,
Vol. 37, No. 2, 1997.
68. Matthews, Mary Elizabeth, Credit Cards—Authorized and Unauthorized Use, Annual
Review of Banking Law, 1994.
69. Mavromati, Despina, The Law of Payment Services in the EU, the EC Directive on
Payment Services in the Internal Market, Kluwer Law International, The Netherlands,
2008.
70. McAfee, McAfee Virtual Criminology Report: North American Study into Organized Crime
and the Internet, 2005, available at
100 | P a g e
http://www.mcafee.com/us/local_content/misc/mcafee_na_virtual_criminology_report.
pdf, last visited on 3 August 2009.
71. McDonald, Barbara, The impact of the Civil Liability legislation on fundamental policies
and principles of the common law of negligence, Legal Studies Research Paper No. 07/01,
Sydney Law School, January 2007.
72. Menninger, Karl A., II, J.D., Identity Theft and Other Misuses of Credit and Debit Cards,
American Jurisprudence Proof of Facts 3d, Database updated December 2008, Thomson
Reuters/West, 2009.
73. Mitchell, Jeremy, Electronic Banking and the Consumer-the European Dimension, PSI
Publication, London, 1988.
74. Mroz, Daniel M., Credit or Debit? Unauthorized Use and Consumer Liability under Federal
Consumer Protection Legislation, Comment, Northern Illinois University Law Review,
Winter, 1999.
75. Nathan, Bruce S, Courts Remain Split over Whether a Debtor's Credit Card Payment Is an
Avoidable, American Bankruptcy Institute Journal; Oct 2008; 27, 8; ABI/INFORM Global,
pg. 22.
76. Nycum, Susan, Liability for Malfunction of a Computer Program, 7 Rutgers J. Computers
Tech. & Law 1 (1979).
77. Parisi, Francesco, Liability for Pure Financial Loss: Revisiting the Economic Foundations of
a Legal Doctrine, George Mason university School of Law, Published in Liability for Pure
101 | P a g e
Economic Loss in Europe: Frontiers of Tort Law, M. Busani and V. Palmer, eds., Cambridge
University Press, 2003.
78. Parker, Lori J., Esq, Cause of Action for Identity Theft, Causes of Action Second Series,
Database updated November 2008.
79. Payments Fraud in Australia, Media Release, Australian Payments Clearing Association
Limited, 15 December 2008.
80. Peretti, Kimberly Kiefer, Data Breaches: What The Underground World of “Carding”
Reveals, Santa Clara Computer and High - Technology Law Journal; Jan 2009; 25, 2;
ABI/INFORM Global, pg. 375.
81. Porter, Katherine, The Debt Dilemma, Michigan Law Review, 2008.
82. Prevention Guidelines for Card-not-present Retailers, Association for Payment Clearing
Services, London, 2002, available at
http://www.netpayments.co.uk/downloads/cnp_booklet.pdf, last visited on 8 August
2009.
83. Prins, J.E.J, Consumers, Liability, and the Online World , Information & Communications
Technology Law, Volume 12, Number 2, June 2003 , pp. 143-164(22), Publisher:
Routledge, part of the Taylor & Francis Group.
84. Punch, Linda, The New Fraudsters, Credit Card Management, Nov 2004, Global, pg. 20.
85. Ritzer, George, Explorations in the Sociology of Consumption: Fast Food, Credit Cards and
Casino, Sage Publication, London, 2001.
102 | P a g e
86. Robshaw, M., Dr., The Security of Chip Cards, Information Security Group, Royal Holloway
University of London, 2003, available at
http://ec.europa.eu/internal_market/payments/docs/fraud/2003-conference/robshaw-
9-03_en.pdf, last visited on 8 August 2009.
87. Ross, S.J., Crime in the Cards, Canadian Banker, Toronto: Nov/Dec 1998. Vol. 105, Iss. 6.
88. Schudelaro, A.A.P., Ir., Electronic Payments and Consumer Protection: Should
Recommendation 97/489/EC be Replaced with a Directive?, Computer Law and Security
Report, Vol. 17 No. 2, 2001.
89. Schudelaro, Ton, Electronic Payment Systems and Money Laundering, Risks and
Countermeasures in the Post-Internet Hype Era, Wolf Legal Publisher, the Netherlands,
2003.
90. Sharma, Dhruv, and Thakur Divyang, Data Theft: An Emerging Crime in the Information
Technology & Intellectual Property Regime (with Special References to Credit Card
Frauds), p. 5-7, available at http://ssrn.com/abstract=1103286, last visited on 25
February 2009.
91. Shulman, Jeffrey, The Outrageous God: Emotional Distress, Tort Liability, and the Limits
of Religious Advocacy, 113 Penn State Law Review 381 (2008), Faculty Working Papers,
Georgetown Law, December 2008.
92. Simkin, Mark G., Five Data Validation Cases, Journal of Information Systems Education,
Vol. 19(3), 271, p 271-276.
103 | P a g e
93. Smith, Marcia S., Identity Theft: The Internet Connection, CRS Report for Congress,
Updated September 15, 2003, available at
http://italy.usembassy.gov/pdf/other/RS22082.pdf.
94. Smith, Michael E., Fraud Prevention Takes Visa -- Payment-System Provider Embraces
Standards to Protect Personal Information, Manhasset, May 2007. Vol. 6, Iss. 5, pg. 37.
95. Stanton-Ife, John, Strict Liability: Stigma and Regrety, Journal of Legal Studies, Vol. 27,
No. 1 (2007), pp. 151–173.
96. Steennot, Reinhard, Allocation of Liability in Case of Fraudulent Use of an Electronic

Payment Instrument: The New Directive on Payment Services in the Internal Market,
Computer Law and Security Report 24, 2008.
97. Steennot, Reinhard, Consumer Protection Relating to Contracts Concluded Online,

Journal of Texas Consumer Law, available at
http://www.jtexconsumerlaw.com/V9N1pdf/V9N1european.pdf, last visited on 3 August
2009.
98. Szwak, David A., Esquire, Credit Cards in America, Vermont Bar Journal & Law Digest,
October, 1995.
99. Tremblay, Pierre, The Short Life Expectancy and the Workings of a Recent Wave of Credit
Card Bank Frauds, The British Journal of Criminology, Vol. 26 No. 3, July 1986.
100. Turabian, Kate L., A Manual for Writers of Research Papers, Theses, and Dissertations:
Chicago Style for Students and Researchers, 7th Edition, The University of Chicago Press,
Chicago and London, 2007.
104 | P a g e
101. Tyree, Alan L., The Australian Payment System, Banking and Finance Law Review,
October 2001.
102. Valentine, Lisa, The "Fraudsters' Playground", American Bankers Association, ABA
Banking Journal; Aug 2003; 95, 8; ABI/INFORM Global, pg. 39.
103. Visa’s explanation on Card-not-present transactions available at

http://usa.visa.com/merchants/risk_management/card_not_present.html, last visited
on 8 August 2009.
104. Wall, David S., Cybercrime, Polity Press, Cambridge, UK, 2007.
105. Wardrop, Ann, Payments System reform in Australia: Central Bank Regulation of Credit
and Debit Card Interchange Fees, Access Regimes and Card Association Rules, Journal of
International Banking Law and Regulation, 2006.
106. Watkins, John P., Book Reviews, Charging Ahead: The Growth and Regulation of Payment
Card Markets by Ronald J. Mann, Cambridge; New York, 2006, Journal of Economic
Issues, December 2007
107. Welborn, Angie A., and Chu, Grace, Implementation of the Fair and The Accurate Credit
Transaction (FACT) Act of 2003, CRS Report for Congress, Congressional Research
Service, The Library of Congress, 3 February 2005.
108. Welborn, Angie A., Identity Theft: The Internet Connection, CRS Report for Congress, CRS
Report for Congress, Congressional Research Service, The Library of Congress, 16 March
2005.
105 | P a g e
109. Welborn, Angie A., Identity Theft and the Fair Credit Reporting Act: An Analysis of TRW v.
Andrews and Current Legislation, CRS Report for Congress, Congressional Research
Service, The Library of Congress, 12 September 2003.
110. Welborn, Angie A., Remedies Available to Victims of Identity Theft, CRS Report for
Congress, CRS Report for Congress, Congressional Research Service, The Library of
Congress, 19 April 2005.
111. What Went Wrong? What Went Right? Case Studies in Corporate Responses and Security
Breaches, Eighth Annual Institute on Privacy and Security Law: Pathways to Compliance
in a Global Regulatory Maze, Practicing Law Institute, Patents, Copyrights, Trademarks,
and Literary Property Course Handbook Series, June-July 2007.
112. 12 CFR 205.6 - Liability of consumer for unauthorized transfers, Code of Federal
Regulations - Title 12: Banks and Banking, December 2005.
106 | P a g e

File 96074

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

File 96074

Uploaded by

Copyright:

Available Formats

TOWARDS A COMPREHENSIVE LEGISLATION ON LIABILITY:

A COMPARATIVE ANALYSIS OF LIABILITY RULES FOR UNAUTHORIZED

A Thesis of Master Program in Law and Technology

List of Abbreviations ...................................................................................................................... 6

Credit Cards, Credit Card Frauds, and Carding ........................................................................... 16

Regulatory Frameworks of Liability for Unauthorized Transactions in Different Countries .... 30

3.1.5 Other Related Legislations .............................................................................. 34

3.3.4 Notification ...................................................................................................... 62

Reasons Why the Present Regulatory Frameworks are not Adequate..................................... 68

Concluding Remarks .................................................................................................................... 81

List of Figures and Table

Figure 1 Relationship between Parties in Credit Card Transactions

Table 1 Comparative analysis of regulatory frameworks on liability allocation for losses

ASIC Australian Securities and Investments Commission

Tilburg, 19 August 2009

1.1. Study Background

holder/consumer or other third parties?13 In order to elaborate on the answer, the

Figure 1 Relationship between Parties in Credit Card Transactions

Different legal systems in different countries or regions have different regulatory

1.2. Research Questions

1.3. Aim and Trigger

2.1. Credit Card: An Overview

Credit cards present a significant socio-economic phenomenon.36 The success of credit

Figure 2 the Four-Party Arrangement of Credit Card Payment49

2.1.1 Credit Card Use in the US

500 Credit card debt (billion

2.1.2 Credit Card Use in the EU

80.000.000 Number of Issued Credit

Figure 4 Number of Issued Credit Cards in the EU from 2003-2007 57

2.1.3 Credit Card Use in Australia

150.000 Number of Credit

Figure 5 Credit Card Growth in Australia from 2000-2008 59

2.2. Credit Card Frauds and Carding

Computer viruses, Online purchase

Stolen from a Lost or stolen

Figure 6 How fraudulently used consumer information is obtained 69

2.2.2 Fraud Detections

Figure 7 How fraud is detected 81

Furthermore, later fraud detection can put cardholder in a precarious situation in

3.1.2 Unauthorized Transaction

3.1.3 Liability for Unauthorized Transaction

present transactions available at http://usa.visa.com/merchants/risk_management/card_not_present.html.

3.1.5 Other Related Legislations

3.1.5.1 The CCFA

3.1.5.2 Fair Credit Billing Act (FCBA)

3.1.5.3 The FCRA

3.1.5.4 The FACTA

3.1.5.5 Identity Theft Acts

3.1.6 Case Laws

3.1.6.1. Case Laws before the TILA

3.1.6.2. Case Laws after TILA

Not only endorsement of TILA regulation on what should be categorized “unauthorized

position to know, monitor or prevent the occurrence of unauthorized transactions.154 In this

3.2.2. Unauthorized Transaction

3.2.3. Liability for Unauthorized Transaction

3.2.4. Notification and Gross Negligence

3.2.5. The PSD and the EFT Recommendation

3.2.6. Case Laws

3.2.7.1. ‘Leave it to the judge’ to decide

3.2.7.2. Application of a presumption of negligence

3.2.7.3. Burden of proof in fact

3.2.7.4. Liability for card-not-present transactions

3.3.2 Unauthorized Transaction

3.3.3 Liability for Unauthorized Transaction