Introduction

Card payments are, after cash, the most significant payment instrument for retail purchases and services.

A card payment scheme consists of functions, procedures, agreements, rules and devices that the holder of a payment card can use to make payment transactions and/or to withdraw cash from third-parties, i.e. agents other than the card-issuing institution itself. Card payments encompass both physical payment transactions made at the point of sale as well as remote payments effected via the internet or by telephone, for example.

As with all other payment instruments, card payment schemes are generally exposed to risks and these risks have to be monitored and mitigated in order to maintain confidence in this method of payment. Such risks are primarily operational in nature, but there are also problems of liquidity and credit risks as well as governance and legal risks – the significance of which can vary depending on the individual card payment scheme or card payment method concerned. Furthermore, card payment schemes are particularly vulnerable to reputational risk, which have the potential of having strong adverse effects on the security and efficiency of the system as a whole. Although the materialisation of even the more significant risks in a card payment scheme is unlikely to result in major disruptions on the financial markets – unlike in the event of unavailability of a systemically important payment system – it could nonetheless lead to major disruptions in payments processing, at least temporarily, with repercussions for the real economy and for consumers due to the lack of readily available and comparable functional alternatives.

Entities subject to Oversight

Oversight generally focuses on an individual card payment scheme, insofar as the scheme is of particular significance to the Eurosystem or at national level. 

The decision as to whether a card payment scheme should be subject to oversight occurs irrespectively of whether the cards are issued by the scheme operator itself or by credit institutions or other payment service providers on its behalf. In some countries, such as Germany, national card schemes exist, usually governed by credit institutions in the respective country. International schemes in contrast work in a multitude of countries and often comprise several brands of cards, which vary from both a technical viewpoint and in terms of their business conditions. The point in time at which the consumer's account is debited is decisive when distinguishing between debit cards (where the balance is debited immediately) and credit cards (where the balance is debited in instalments in accordance with the terms of the individual card contract or at regular intervals in the case of charge cards).

At present, the following card payment schemes operating in Germany are subject to oversight.

girocard

girocard is the umbrella brand of the German banking industry for both the German debit payment scheme “electronic cash” (Point of Sale, POS) and the German ATM system. girocard is the most prominent card payment scheme in Germany and functions as a chip and PIN-based debit card scheme. The payment card required to make POS transactions and to withdraw cash at ATMs is generally issued to the cardholder by the account-holding credit institution when opening a current account.

Meanwhile, the girocard also can be integrated into digital wallets.

VISA Europe

VISA Europe is a European card payment scheme based in London, which is owned and operated by its European members. VISA Europe has an exclusive and unlimited licence that it was granted by the globally active VISA Inc. On this basis, VISA Europe provides the legal, organisational and technical framework for the payment scheme. The various debit and credit cards, such as V PAY and VISA, are issued exclusively by the member institutions.

MasterCard Europe

MasterCard Europe, which has its headquarters in Brussels, is a subsidiary of MasterCard Incorporated, the holding company of MasterCard Worldwide. MasterCard Incorporated is a private joint stock company operating under US law. MasterCard grants licences for the issuance of its cards and for the acquisition of participating enterprises (acceptance points). MasterCard was originally owned by the approximately 25,000 banks and payment service providers which issued MasterCards. This ownership structure changed in 2006 when it became a listed company.

Implementation

In order to ensure a uniform oversight of card payment schemes in the Eurosystem, an Oversight Framework for Card Payment Schemes was published in January 2008. This oversight framework, alongside the other payment instrument oversight frameworks, was meanwhile revised, updated, and published in November 2021 as the Eurosystem's oversight framework electronic payment instruments, schemes and arrangements, the PISA framework. The requirements contained therein are based on the principles for financial market infrastructures (PFMI) and are primarily directed towards the governance body of a payment scheme or arrangement.

Furthermore, compliance with the new standards will be scrutinised as part of the assessment of the respective card payment schemes. To this end, the Bundesbank as responsible central bank for the oversight of girocard drew up a Memorandum of Understanding (MoU) with the German Banking Industry Committee as the governance body of girocard, specifying the modalities and confidentiality agreements with the card payment scheme. The Bundesbank independently monitors the German girocard scheme. With regard to international card payment schemes, each scheme is overseen by a team of experts from the various Eurosystem central banks. The implementation of the recommendations contained in the oversight reports by the national or international card scheme’s governance body is monitored by the overseeing central banks. Moreover, the development of card fraud is monitored and evaluated for various areas in which payment cards are used. Information is made available to the general public in the Eurosystem's report on card fraud.

Owing to its technical infrastructure, the internet is vulnerable to a wide range of attacks, which is why, among others, the risk of fraud in online payments was examined by the European SecuRe Pay Forum (forum on the security of retail payments). The SecuRe Pay Forum is a voluntary association of banking supervisors and payment overseers from all over Europe, supplemented by observers from Europol and the European Commission. Following a public consultation of market participants, recommendations for the security of online payments were published in January 2013. These concern not only card payments, but also credit transfers and e-money payments made on the internet. The SecuRe Pay requirements were incorporated into the oversight and banking supervision regulations and implemented by payment service providers and payment scheme operators. In addition, important parts were included into the 2nd Payment Services Directive (Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market). In this respect, they are binding for all payment service providers and payment methods in the scope of the PSD2.