The legal answer to an unauthorized tap-to-pay transaction is rarely “contactless is safer” or “the bank pays.” The practical answer depends on which layer is doing the work: federal consumer-credit law may cap a consumer’s liability; a card-network promise may reimburse more than federal law requires; and EMV chargeback rules may still leave a merchant holding a counterfeit-fraud loss. That separation is the starting point for analyzing tap-to-pay credit card fraud liability.
For a consumer credit card, Regulation Z is the statutory floor. It defines when a use is “unauthorized,” caps consumer liability at $50 when the rule’s conditions are met, and requires the issuer to have provided a way to identify the cardholder and notice of potential liability. For a business card program, the same comfort may disappear: Regulation Z’s business-use exemption allows issuers and organizations with 10 or more credit cards issued for employee use to agree to liability terms outside the consumer cap. [1]

That is why a tap dispute should not be analyzed as one question. A cardholder asking for reversal, a merchant responding to a counterfeit chargeback, and an in-house lawyer reviewing a fleet of employee cards may all be looking at the same payment event but different liability systems.
Regulation Z Is the First Liability Anchor
Regulation Z implements the Truth in Lending Act for open-end credit. In the unauthorized-use provision, the rule caps a cardholder’s liability at $50, but only if the conditions in the regulation are satisfied. The issuer must have provided adequate notice of potential liability, the card or device must provide a means of identifying the cardholder or authorized user, and the use must fit the rule’s definition of “unauthorized use.” [1]
That definition matters more than the payment form factor. A tap made with a lost card, a stolen card, or a compromised wallet credential is not legally resolved merely by calling it “contactless.” The relevant question is whether the transaction was made by a person who lacked actual, implied, or apparent authority and from which the cardholder received no benefit. If the transaction fits that definition, the federal cap becomes the baseline analysis for a consumer credit card. [1]
The cap is not the same thing as a guarantee that every dispute will be credited immediately, permanently, or without investigation. Regulation Z supplies a liability ceiling for qualifying unauthorized use; it does not answer every evidentiary question about whether the transaction was authorized, whether the cardholder benefited, or whether another rule or contract supplies broader protection.
| Layer | What it answers | Who should care |
|---|---|---|
| Regulation Z / TILA | How much a consumer cardholder can be liable for qualifying unauthorized use | Consumers, issuers, consumer-credit counsel |
| Network zero-liability policy | Whether the network promises broader reimbursement subject to policy conditions | Cardholders, issuers, program managers |
| EMV and chargeback rules | Which participant absorbs a counterfeit-fraud chargeback | Merchants, acquirers, payment operations teams |
| Commercial-card contract | Whether an organization accepted broader liability for employee cards | In-house counsel, treasury, procurement |
The Business-Use Exemption Is Where Comfortable Assumptions Fail
The consumer-credit framing can be misleading when the card sits inside a company program. Regulation Z states that if 10 or more credit cards are issued by one issuer for use by employees of an organization, the unauthorized-use liability limits in § 1026.12(b) do not prohibit the issuer and the organization from agreeing to liability without regard to the $50 cap. [1]

That provision is easy to miss because most public discussion of card fraud is written around household cards. A company may assume that “credit card fraud liability” means the same thing for a purchasing-card program, travel-card program, or distributed employee-card arrangement. The regulation permits a different result if the exemption applies and the contract allocates the loss differently.
The legal review should therefore start with the card type and the governing agreement before anyone relies on the consumer cap. For an organization, the important document may be the issuer contract, program terms, indemnity language, employee-use policy, and notice procedures. Regulation Z is still relevant, but not always as a protective ceiling for the entity paying the bill.
Network Zero Liability Is Broader, but It Is Not the Statute
Card networks often advertise zero-liability protection, and those policies can be more generous than Regulation Z’s $50 ceiling. Mastercard’s U.S. Zero Liability terms, for example, state that the cardholder will not be held responsible for unauthorized transactions if the cardholder used reasonable care in protecting the card from loss or theft and promptly reported loss or theft to the financial institution. The same terms also identify exclusions, including certain commercial cards and unregistered prepaid cards. [2]
That language should be read as a conditional network protection, not as a replacement for Regulation Z. It may reduce a consumer’s practical out-of-pocket exposure to zero in many ordinary unauthorized-use cases, but it does so through network rules and issuer obligations rather than by changing the federal statutory cap. It also does not eliminate the need to identify who bears the loss downstream after the cardholder is credited.
Comparable network policies can create a similar public impression: cardholders hear “zero liability,” merchants hear “fraud protection,” and operational teams assume the result is settled. The policy text is usually less absolute than the slogan. Reasonable-care conditions, reporting conditions, card-type exclusions, and network-specific chargeback rules still matter.
The Contactless EMV Gap Hits Merchants Differently
The merchant-side issue is not the same as the consumer’s unauthorized-use cap. A merchant can lose a chargeback even when the consumer is protected. The more surprising point is that the U.S. EMV counterfeit liability shift for contact chip transactions does not map cleanly onto contactless transactions.
The U.S. Payments Forum’s 2019 guidance is commonly cited for the point that, for most U.S. payment networks, counterfeit-fraud liability shift does not apply to contactless transactions. In practical terms, a merchant that understands chip-insertion liability may still be exposed when the same card is tapped instead of inserted. [3]

That is a legal-allocation problem, not a technology indictment. Contactless EMV can authenticate transaction data in ways that are valuable for speed and fraud prevention. The narrower point is that the U.S. counterfeit-liability allocation for contactless transactions has not always followed the same path merchants learned from the chip-card migration.
Industry chargeback materials describe the operational result in familiar terms: once a fraudulent transaction is disputed and routed through the chargeback process, the merchant may lose the transaction amount and related fees depending on the chargeback reason, evidence, and applicable network rules. Those materials are useful for understanding the workflow, but the operative allocation still comes from the payment-network and EMV rules rather than a general statement that contactless fraud is “merchant liability.” [4][5]
A Simple Allocation Map
| Scenario | Likely first question | Main liability source |
|---|---|---|
| Consumer card tapped after the physical card is stolen | Was the transaction unauthorized under Regulation Z? | Regulation Z, then network zero-liability policy |
| Consumer card remains in the wallet but credentials are misused | Does the event fit unauthorized use and what evidence supports that classification? | Regulation Z, network policy, issuer investigation |
| Merchant accepts a fraudulent contactless transaction | Does the applicable network apply a contactless counterfeit liability shift? | Network and EMV chargeback rules |
| Employee card in a company program is misused | Does the business-use exemption and contract change the liability allocation? | Regulation Z business-use exemption and issuer agreement |
Criminal Fraud Law Does Not Allocate the Civil Loss
Federal criminal law sits in the background. 15 U.S.C. § 1644 makes certain credit-card fraud conduct punishable by a fine of up to $10,000, imprisonment for up to 10 years, or both. That provision helps distinguish the wrongfulness of the fraud from the civil question of who absorbs the transaction loss. [6]
A prosecutor’s theory, an issuer’s reimbursement decision, and a merchant’s chargeback position are not interchangeable. A transaction can be criminally fraudulent and still require a separate analysis of consumer liability, network reimbursement, and merchant chargeback exposure.
Where Tap-to-Pay Disputes Become Harder
Lost-card cases are comparatively familiar. The harder fact patterns are the ones that separate possession from transaction initiation. NFC relay attacks, sometimes described as “ghost tapping,” are the obvious example: the card may remain with the consumer while a relay setup causes a terminal elsewhere to receive usable payment credentials. Current public sources do not identify a definitive U.S. regulatory interpretation or court ruling resolving how Regulation Z’s unauthorized-use framework applies to that fact pattern in every case.
Remote credential theft creates a similar classification problem. If a digital wallet token, account credential, or device credential is misused, the analysis may turn on the account type, the issuer’s authentication records, the wallet provider’s role, the consumer’s benefit or lack of benefit, and the applicable network policy. Treating every wallet-based tap as if it were a lost plastic card can skip the facts that decide the dispute.
Digital-wallet supervision is also no longer just a payments-industry housekeeping issue. The CFPB finalized a larger-participant rule for general-use digital consumer payment applications, bringing certain large nonbank digital payment app providers under CFPB supervisory authority. The rule is relevant because wallets such as Apple Pay and Google Pay sit close to contactless transactions, even though supervision of a wallet provider does not by itself answer a particular cardholder-liability or merchant-chargeback question. [7]
For counsel, the cleaner question is not whether tap-to-pay is safe. It is which legal layer is being invoked, what conditions attach to that layer, and whether another participant is left with the loss after the cardholder is made whole. The unresolved edge cases matter because the seams are where confident slogans tend to become expensive.
References
- § 1026.12 Special credit card provisions, Consumer Financial Protection Bureau, https://www.consumerfinance.gov/rules-policy/regulations/1026/12/
- Zero Liability Protection, Mastercard, https://www.mastercard.us/en-us/personal/get-support/zero-liability-terms-conditions.html
- Understanding Fraud Liability for EMV Contact and Contactless Transactions, U.S. Payments Forum, February 2019, https://www.uspaymentsforum.org/understanding-fraud-liability-for-emv-contact-and-contactless-transactions/
- What is Contactless Payment Fraud?, Chargebacks911, https://chargebacks911.com/contactless-payment-fraud/
- Who Pays For Credit Card Fraud? Understanding Merchant Liability, Signifyd, https://www.signifyd.com/blog/merchant-liability-credit-card-fraud/
- 15 U.S. Code § 1644 - Fraudulent use of credit cards; penalties, Legal Information Institute, https://www.law.cornell.edu/uscode/text/15/1644
- CFPB Finalizes Rule to Supervise Big Tech Companies Offering Digital Wallets and Payment Apps, Consumer Financial Protection Bureau, November 21, 2024, https://www.consumerfinance.gov/about-us/newsroom/cfpb-finalizes-rule-to-supervise-big-tech-companies-offering-digital-wallets-and-payment-apps/
Comments
Join the discussion with an anonymous comment.