Payment Services Regulations 2009

The Payment Services Regulations 2009 protect you if you're the victim of card fraud. They place legal requirements on your bank and establish your rights to a refund

spread the word
email & print

The Payment Services Regulations

The Payment Services Regulations 2009 (PSR) set out the rules relating to all 'payment services' including the services provided by banks, building societies and debit card providers. 

The rules also outline what consumers can expect their bank to do if there has been unauthorised use of their account details or their debit cards. 

The principles in the Payment Services Regulations are reflected in the Financial Conduct Authority (FCA) handbook called Banking: Conduct of Business and Sourcebook (BCOBS)

This handbook sets out the rules that all service providers (including banks, building societies and card providers) must follow. 


The Payment Services Regulations 2009 set out what payment service providers must do if there has been unauthoriesd or fraudulent activity on your account. 

You should be able to get your money back as long as your provider can't prove that you hadn't taken reasonable steps to keep your card or account information secure. 

Lost or stolen debit card

If your debit card is lost or stolen and then used to buy something, you should get the disputed sum paid back to you. 

If your debit card provider can show that you failed to take reasonable steps to protect your security features (eg your PIN), then it can make a £50 deduction from any refund it pays to you.

However, it can’t make this deduction if the disputed transaction was made after you had reported the card lost or stolen.

If your debit card provider can show that you acted fraudulently, it can refuse to give you a refund. 

If it can show you were grossly negligent in not taking reasonable care of your card's security features (eg your PIN), your card provider would have grounds to refuse to refund any of the sum disputed - except where the card or card details were used to make a distance contract eg online or over the phone. 

These provisions don't apply to credit cards as the Consumer Credit Act 1974 already sets out rules that apply to credit cards.

The Consumer Credit Act says that if your credit card is lost or stolen and used by a thief, the most you should be responsible for is the first £50 of any unauthorised transactions made before you reported the card missing. 

Unauthorised debit card usage

The Payment Services Regulations can help if there is a transaction on your card that you know nothing about.

If your debit card has not been lost or stolen and someone else uses the card details to buy something, for example if a card is cloned or someone uses details you gave to a retailer when buying an item over the phone or online, then the Payment Services Regulations mean you should be refunded in full. 

Again, if your provider can show that you hadn't taken reasonable steps to protect the security of your card (ie your PIN or online security details) you could be liable for the first £50 of any loss you incur. 

And if it your provider can show that you acted fraudulently, you won't be entitled to any refund. 

As with lost or stolen cards, if you were grossly negligent, then the service provider can refuse to credit any money back to you - except where your card or account details were used to enter into a distant contract. 

If your card was used before you received it, for example it was intercepted by someone in the post, then you should be refunded in full. 

Please tell us what you think of the Which? Consumer Rights website.

Your feedback is vital in helping us improve this site. All data will be treated confidentially. This survey will take approximately 5 minutes to complete.

Please take our survey so we can improve our website for you and others like you.