FAQ: Card payment at the checkout
We answer the most important questions about security, usage requirements and payments abroad with plastic cards and smartphone wallets.
(Image: dpa, Monica Davey)
Cashless payments at the checkout are popular and widespread in many different ways. In addition to direct debits, debit and credit cards, digital wallets on smartphones are playing an increasingly important role – and lead to questions from many readers. We have compiled the most important answers.
Security
When we went to the police to report a card theft, the officer recommended “KUNO” in addition to blocking the Girocard itself. This also blocks the direct debit procedure. I haven't read anything about this from you yet.
You're right, KUNO is much less well known than the 116 116 blocking emergency number, and we haven't heard of it either. KUNO stands for “combating crime in non-cash payment transactions using non-police organizational structures”. It is a procedure offered by the police and retailers, independent of credit institutions.
If you report your stolen Girocard via your bank or the central blocking emergency number 116 116, you will only block it for payments in the Girocard system. Direct debits are still possible. This is because these are technically different payment methods that are not linked to each other. If you pay at the checkout with your card using contactless or PIN entry and do not need to provide a signature, this is the Girocard procedure. Your data is then immediately synchronized with the bank server. With the direct debit procedure, for which you have to provide a signature, the checkout terminal only retrieves your IBAN locally, which is stored on the card in unencrypted form.
To block the card for direct debits, you must report the theft to a police station. To do this, you will need the IBAN or account number and sort code. You should also take an account statement with you that contains a direct debit so that you have the card sequence number to hand. Alternatively, you can ask your bank for it.
Videos by heise
When taking the report, ask the officer to block your card for direct debits as well. KUNO only works directly at the police station; it is not possible to block your card online or by telephone. The police will forward the account data to a central retailer reporting system so that retailers connected to this system can refuse direct debit payments with your stolen card from then on. Please note: Not all retailers are connected, and many online retailers are also missing, but at least almost all large chains are participating. Also ask at the police station for a blocking confirmation number and an information sheet. However, the police will not give you this number in all federal states, as the service's FAQ explains. You can also use this number to subsequently report the card sequence number or unblock the card via the KUNO portal, otherwise you will have to contact the police yourself.
Blocking unauthorized direct debits is not quite as urgent as blocking the Girocard function. While you cannot normally recover payments made with your Girocard, a direct debit without a valid mandate can be reversed for 13 months. If a thief uses your card, he can only forge your signature. The mandate is then invalid. However, this security mechanism does not save you the trouble of having to complain about unauthorized debits.
You repeatedly advise against rooted smartphones and sideloading when it comes to mobile payments or online banking. Why? I know my way around and want nothing to do with Google and Apple.
Only unrooted smartphones offer a level of protection that is sufficiently high for every user of banking and payment apps, regardless of their level of experience and knowledge. A rooted device always assumes that you are familiar with the latest attack methods used by cyber criminals and know how they override the protection mechanisms of the operating systems. However, since not everyone understands the sinister combination of phishing and malware, for example, we cannot in good conscience recommend such Android roots and iPhone jailbreaks as a basis for financial transactions.
Of course, you are free to use a rooted device at your discretion. However, you must then expect that your payment app will not run at all. In most cases, these apps check whether the smartphone is rooted at startup and refuse to work if this is the case. Workarounds can be a waste of time with the next update. The most serious argument, however, is that your bank usually successfully refuses to accept any liability for damage if you have rooted the device.
A similar rule also applies to downloads. If you come across alleged apps from financial service providers on alternative app stores without a curated catalog or download apps of a different nature onto your cell phone, you should never use it to make payments. Even in such cases, banks are usually successful in defending themselves against claims for damages. Banks generally only offer their apps on Google Play and Apple's App Store. These are not entirely free of offers, such as QR code readers that contain malicious code. However, Apple and Google provide sufficient protection overall.
Requirements
Can I use the same plastic card on several devices in their wallets at the same time?
In principle, this is possible, but this also depends on the respective bank. Each bank can decide the exact configuration itself, as well as whether it supports a mobile payment method at all. In our experience, most banks and savings banks allow you to store certain cards on different devices at the same time. For example, we were able to use the Girocard and Visa debit card from Sparkasse Hannover in parallel in both “Mobile Payments” under Android and in Apple Pay, as well as Visa and Mastercard cards from Hannoversche Volksbank in VR Pay and Apple Pay.
With Google Pay and Apple Pay, you can also usually store the same card on several devices, even across systems. In addition, one card can often be used with different user accounts. For example, we were able to store a Comdirect Visa debit card on two iPhones belonging to different people. This can be very useful within the family. However, there is always a risk that a fraudster will use clever tricks to trick you into activating a card on their device.
Paying abroad
My wallet doesn't work abroad. Have the banks blocked the service there?
Normally, paying with a smartphone should also work abroad wherever a merchant accepts the underlying payment method. So if the retailer accepts Visa and Mastercard cards and enables contactless payments via NFC, a payment should work with any wallet in which you have stored these cards. It doesn't matter whether you use Apple Pay, Google Pay, Samsung Pay or the payment app of your savings bank or bank. This was confirmed to us by DZ Bank, for example, which provides the physical and digital cards for the cooperative banks. PayPal and QR or barcode methods such as Bluecode, which you can find mainly in Austria, should also work.
However, readers tell us occasionally that they have problems with smartphone payments via NFC. One of them, for example, was unable to pay at several retailers in Austria using the Volksbank Pay app and the Mastercard stored on it. We are also aware of cases in the USA where Apple Pay did not work – even in Apple stores. There can be many different reasons for this. Sometimes merchants exclude contactless payments with foreign cards, sometimes the merchant's payment processor is having issues. Perhaps your bank is refusing payment in individual cases because it cannot rule out attempted fraud. Sometimes the reason is also that the Girocard is still set as standard. The digitalized Girocard does not have the Maestro or V Pay co-badge, which makes a physical card suitable for use abroad.
Do I have a chance to use the smartphone payment methods of other European countries as well?
Normally not. In most countries, the national smartphone payment methods require a current account with a local bank, such as Bizum in Spain. Elsewhere, you also need a citizen identification number. This is the case, for example, in the Nordic countries with Mobile Pay (Denmark, Finland), Swish (Sweden) and Vipps (Norway). You will normally only receive this ID if you are a permanent resident of the respective country.
One exception is the Swiss Twint, which offers a prepaid app that also works with German and Austrian telephone numbers. You have to register in the app, identify yourself with a photo of your ID card and can only top up your prepaid account using a Swiss bank account or voucher cards. You can obtain these locally in Switzerland in Coop stores, at Interdiscount or in independent post offices. The monthly limit for sending and receiving is CHF 1500, the annual limit is CHF 5000, any remaining credit can only be credited to a Swiss bank account.
(mon)
