Commission Recommendation 87/598/EEC

Commission Recommendation 87/598/EEC concerning a European code of conduct relating to electronic payments

Published under Risk Management
Title: Commission Recommendation 87/598/EEC of 8 December 1987, concerning a European code of conduct relating to electronic payments

Note: this recommendation was further elaborated in Recommendation 97/489/EC, with regard to the relationship between issuer and holder; see
Source reference:
Topic: Good practices for electronic payment systems (carried out by means of a card incorporating a magnetic strip or microcircuit used at an electronic payment terminal (EPT) or point-of-sale (POS) terminal)
Direct / indirect relevance Direct. The text focuses on electronic payments, and includes specific provisions on data protection and information security.
Scope: Nonbinding recommendation to issuers of electronic payment solutions, specifically card issuers
Legal force: Not legally binding, neither to natural persons, legal entities or countries
Affected sectors: Providers of electronic payment solutions, specifically card issuers
Relevant provision(s): 4. Data protection and security

(a) Electronic payments are irreversible. An order given by means of a payment card shall be irrevocable and may not be countermanded.
(b) The information transmitted, at the time of payment, to the trader's bank and subsequently to the issuer must not in any circumstances prejudice the protection of privacy. It shall be strictly limited to that normally laid down for cheques and transfers.
(c) Any problems whatsoever that arise in connection with the protection of information or with security must be openly acknowledged and cleared up at whatever stage in the contract between the parties.
(d) Contracts must not restrict trader's freedom of operation or freedom to compete.




2. Relations between issuers and consumers

Cardholders shall take all reasonable precautions to ensure the safety of the card issued and shall observe the special conditions (loss or theft) in the contract which they have signed. […]
Relevance to RM/RA: The document provides a number of general non-binding recommendations, including an obligation to ensure that privacy is respected and that the system is transparent with regard to potential security or confidentiality risks, which must obviously be mitigated by all reasonable means.

The abstract and generic character of the recommendations (many of which have been further developed in more specific norms, e.g. the Privacy Directive) imply that they are of relative use in assessing the validity of existing RM/RA practices. None the less, it is one of the few norms which contain a clear obligation to inform users of any security and/or confidentiality risks.
Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies