Customer obliged to take reasonable care, not extreme care

Cards and PINs,
Kiri and her husband, Hamish, had a credit card with a bank. Kiri was shopping with her 16-year-old grandson when she used the card to make a purchase. She entered her PIN into the eftpos keypad, which was fixed in position on the counter without any shield. Her taller grandson observed her enter the PIN. During the next two days, unauthorised transactions totalling $3,700 were made on the card. Kiri and Hamish realised their card was missing and requested an immediate stop.
June 2007

The couple made a claim to the bank for reimbursement of the unauthorised transactions. The bank denied the claim, saying Kiri hadn't taken adequate security measures to prevent disclosure of the PIN, thus breaching the card’s terms and conditions. The bank offered a goodwill payment of $738.15.

The couple did not believe they had breached the card's terms and conditions. Kiri said she was totally unaware her grandson was standing behind her while she was keying in her PIN. She kept her card in her wallet in her bag. Her bag was usually kept in her bedroom when she was at home, and the couple did not have any reason to believe that their grandson, who had no history of dishonesty, would steal from them. The PIN was not written down anywhere, and was neither a sequential number nor easily identifiable in any other way. 

Our investigation

We found that Kiri’s grandson had almost certainly “shoulder-surfed” her PIN. The bank argued that the fact the thief knew the PIN proved Kiri had not taken reasonable care to shield the PIN from view. However, our view was that a customer must take care to avoid disclosure when keying in a PIN, but this will not always prevent it from being seen by a determined individual. There is a limit to what customers can reasonably be expected to do to protect their PIN, particularly when using an unshielded keypad. The standard of care required in such circumstances is reasonable care, not extreme care or the use of every possible precaution.

Kiri had no reason to suspect her grandson was watching her enter the PIN, or that he might steal from her. It is not unreasonable for people to trust close family members and friends in the absence of evidence that they may be untrustworthy. Customers may not take the same precautions to shield the entry of their PIN in the presence of a close family member as they would around strangers. Given that the grandson was considerably taller than his grandmother, it would not have been difficult for him to look over her shoulder.

We found that Kiri had not breached her card’s terms and conditions. Kiri and Hamish were entitled to reimbursement of the amount of their loss, less the standard $50 maximum customer liability, a total of $3,650.


Kiri and Hamish accepted the $3,650.

Print this page