Slack security

Rachel was in France, when she realised there had been a number of transactions and withdrawals from her travel card without her knowing. These transactions totalled $3,402 NZD. Rachel called her card provider, Cash for Travel (CFT), straight away. Over the phone, Rachel was informed she would be able to get her money back.

The dispute

CFT then sent a letter to Rachel stating it would not be reimbursing her for the fraudulent transactions, because it appeared Rachel had not taken reasonable steps to keep her card security details safe.

Rachel disagreed with this decision and complained to FSCL.

The transactions

The disputed transactions began on 13 September. Prior to this, Rachel had last used the card on 11 September. Rachel believed she had last seen her card while at a train station on 13 September. This was likely the point where the card was lost or stolen.

On 13 and 14 September there were a number of small unauthorised transactions. On 15 September large unauthorised ATM withdrawals took place, along with a few smaller unauthorised transactions.

CFT’s position

CFT said Rachel had breached clauses 14 and 16 of their terms and conditions. Clause 14 outlines the ways to keep the security details of a card secure, and clause 16 states that a cardholder will be liable for unauthorised transactions if they fail to take all reasonable steps to keep security features of the card safe.

CFT provided evidence showing there was no technology available that would extract Rachel’s personal identification number (PIN) from the data on the card, or to bypass the PIN to carry out ATM withdrawals.

The ATM withdrawals all occurred using the correct PIN and no wrong attempts were made. CFT said it is not uncommon for customers to be observed by a thief entering their PIN prior to it being stolen. However, Rachel last saw her card on 13 September, and had last entered her PIN on 11 September. It did not seem to fit the ‘typical’ thief behaviour for a person to observe Rachel entering her PIN on 11 September, follow her for 2 days, and then steal her card.

CFT said the only explanation was that Rachel had kept her PIN number near her card when it was stolen. This was a breach of CFT’s terms and conditions meaning CFT were not liable for the unauthorised transactions.


The issue for us to determine was whether it was more likely than not that Rachel had her PIN recorded with or near her card, or whether she failed to take adequate care to keep her PIN and card secure.

Accepting both Rachel’s assertion that she did not keep the PIN with her card, and CFT’s assertion that it was not possible the PIN was bypassed at an ATM, the only logical explanation for the unauthorised transactions was that someone was able to observe Rachel’s PIN entry on 11 September. In this case, it seemed most likely that the thief was a person Rachel knew, who had the opportunity to observe her PIN and then physically steal the card two days later.


This was a difficult case to determine. However, by the very fact the thief had access to both Rachel’s card and PIN, we had to conclude on a balance of probabilities that Rachel had failed to take all reasonable steps to keep the card’s security features safe, which was a breach of paragraph 16 of CFT’s terms and conditions.

It followed that CFT was entitled to decline to compensate Rachel for the disputed transaction, and we recommended Rachel discontinue her complaint.


Consumers are required to take reasonable steps to safeguard their card security details from potential thieves. This can include covering the number pad whenever entering your PIN, not disclosing your PIN to anyone and not keeping your PIN recorded near the card.