Card payments are, after cash, the most significant payment instrument for retail purchases and services.
A card payment scheme consists of functions, procedures, agreements, rules and devices that the holder of a payment card can use to make payment transactions and/or to withdraw cash from third-parties, ie agents other than the card-issuing institution itself. Card payments encompass both physical payment transactions made at the point of sale as well as remote payments effected via the internet or by telephone, for example.
As with all other payment instruments, card payment schemes are generally exposed to risks and these risks have to be monitored and mitigated in order to maintain confidence in this method of payment. Such risks are primarily operational in nature, but there are also problems of liquidity and credit risks as well as management and legal risks – the significance of which can vary depending on the individual card payment scheme or card payment method concerned. Furthermore, card payment schemes are particularly vulnerable to reputational risk, which have the potential of having strong adverse effects on the security and efficiency of the system as a whole. Although the materialisation of even the more significant risks in a card payment scheme is unlikely to result in major disruptions on the financial markets – unlike in the event of unavailability of a systemically important payment system – it could nonetheless have major repercussions, at least temporarily, for the real economy and for consumers due to the lack of readily available and comparable functional alternatives.
From the Eurosystem's perspective, a card payment scheme should therefore
- have a solid legal basis in all relevant national legislation,
- ensure that comprehensive information, including information about financial risks is made available to all the relevant parties,
- provide for an appropriate degree of security, operational reliability and business continuity,
- have an effective, reliable and transparent governance structure in place and
- be able to manage and contain financial risks in connection with the clearing and settlement process.
Entities subject to Oversight
Oversight generally focuses on an individual card payment scheme, insofar as the scheme is of particular significance to the Eurosystem or at the national level. The decision as to whether a card payment scheme should be subject to oversight occurs irrespectively of whether the cards are issued by the scheme operator itself or by credit institutions or other payment service providers on its behalf. The international schemes often comprise several brands of cards, which vary from both a technical viewpoint and in terms of their business conditions. The point in time at which the consumer's account is debited is decisive when distinguishing between debit cards (where the balance is debited immediately) and credit cards (where the balance is debited in instalments in accordance with the terms of the individual card contract or at regular intervals in the case of charge cards).
At present, the following card payment schemes operating in Germany are subject to oversight.
girocard is the umbrella brand of the German banking industry for both the German debit payment scheme "electronic cash" (Point of Sale, POS) and the German ATM system. girocard is the most prominent card payment scheme in Germany and functions as a chip and PIN-based debit card scheme. The payment card required to make POS transactions and to withdraw cash at ATMs is generally issued to the card holder by the account-holding credit institution when opening a current account.
VISA Europe is a European card payment scheme based in London, which is owned and operated by its approximately 4,000 European members. VISA Europe has an exclusive and unlimited licence that it was granted by the globally active VISA Inc. On this basis, VISA Europe provides the legal, organisational and technical framework for the payment scheme. The various debit and credit cards, such as V PAY and VISA, are issued exclusively by the member institutions.
MasterCard Europe, which has its headquarters in Brussels, is a subsidiary of MasterCard Incorporated, the holding company of MasterCard Worldwide. MasterCard Incorporated is a private joint stock company operating under US law. MasterCard grants licences for the issuance of its cards (eg Cirrus, Maestro, MasterCard) and for the acquisition of participating enterprises (acceptance points). MasterCard was originally owned by the approximately 25,000 banks and payment service providers which issued MasterCards. This ownership structure changed in 2006 when it became a listed company.
American Express, which is a listed company with its headquarters in the USA, is an independent issuer of payment cards, which does not entrust banks or other payment service providers with the task of issuing its cards.
In order to ensure a uniform oversight of card payment schemes in the Eurosystem, an Oversight Framework for Card Payment Schemes was published in January 2008. Five standards as well as a corresponding methodology were developed on the basis of the identified risk profile in cooperation with the Bundesbank. The requirements contained therein are primarily directed towards the card scheme's governance authority.
These standards were scrutinised as part of the first-time assessment of the respective card payment schemes. To this end, the central bank responsible for oversight activities drew up a Memorandum of Understanding (MoU) specifying the modalities and confidentiality agreements of the card payment scheme. The Bundesbank independently monitors the German girocard scheme. With regard to international card payment schemes, each scheme is overseen by a team of experts from the various Eurosystem central banks. Furthermore, the Bundesbank is involved in the Eurosystem's peer review process, which serves to compare the key findings of the individual oversight reports. Implementation of the recommendations contained in the oversight reports by the card scheme operators is monitored by the overseeing central banks. Moreover, developments in the number of fraud cases are monitored and evaluated for various areas in which payment cards are used. Information is made available to the general public in the Eurosystem's report on card fraud.
Owing to its technical infrastructure, the internet is vulnerable to a wide range of attacks, which is why the risk of fraud in online payments was examined by the European SecuRe Pay-Forum (forum on the security of retail payments). The SecuRe Pay-Forum is a voluntary association of banking supervisors and payment systems overseers from all over Europe, supplemented by observers from Europol and the European Commission. Following a public consultation of market participants, recommendations for security of online payments were published in January 2013. These concern not only card payments, but also credit transfers and e-money payments made on the internet and are to be incorporated into the oversight and banking supervision regulations and implemented by payment service providers and payment systems operators in 2015. Therefore the Eurosystem published the Guide for the assessment of card payment schemes against the oversight standards in February 2015 that supports the assessment according to the standards of the aforementioned Oversight Framework for Card Payment Schemes.