Legal liability for the unauthorized use of another person's credit card

Introduction

The unauthorized use of another person’s credit card represents one of the most pervasive forms of financial fraud in the Philippines. With the rapid growth of e-commerce, contactless payments, and digital banking, credit cards have become indispensable, yet they also expose cardholders, issuers, merchants, and the public to significant risks. In 2023 alone, the Bangko Sentral ng Pilipinas (BSP) reported a surge in card-not-present (CNP) fraud cases, many involving stolen or cloned cards used without the owner’s consent.

Philippine law treats this act not merely as a civil wrong but primarily as a criminal offense, carrying both penal and civil liabilities. The legal regime is anchored on the Revised Penal Code (RPC), special penal laws such as Republic Act No. 8484 (Access Devices Regulation Act of 1998), Republic Act No. 10175 (Cybercrime Prevention Act of 2012), and regulatory issuances of the BSP. This article examines in exhaustive detail the criminal, civil, and administrative liabilities arising from the unauthorized use of credit cards, the parties involved, the elements of the offenses, available defenses, procedural remedies, and the evolving jurisprudence that shapes enforcement.

I. The Legal Framework

A. The Revised Penal Code (Act No. 3815, as amended)

The RPC remains the cornerstone for prosecuting unauthorized credit card use, particularly through the crime of estafa (swindling) under Article 315.

  1. Estafa through abuse of confidence (par. 1(b))
    When a person receives a credit card from its owner for a specific purpose (e.g., safekeeping or authorized use) and thereafter uses it without permission, the act constitutes estafa. The key elements are:

    • Juridical possession of the card by the offender;
    • Abuse of that confidence;
    • Misappropriation or conversion to the offender’s own use;
    • Damage to the owner.

  2. Estafa through deceit (par. 2(d))
    More commonly applied in cases where the offender obtains the card details through fraud (phishing, skimming, or social engineering) and uses them to make purchases. The offender induces the issuer or merchant to part with money or property by means of false pretenses.

    Jurisprudence has consistently held that presenting a credit card as one’s own when it belongs to another constitutes deceit. In People v. Ojeda (G.R. No. 104238, 1993) and subsequent cases, the Supreme Court ruled that the mere act of using the card to obtain goods on credit, knowing it is not yours, completes the offense.

  3. Qualified Theft (Article 310)
    If the card is physically taken without consent and later used, the initial taking is theft. The subsequent use aggravates the penalty because the card is a “document” or “instrument” under Article 310.

B. Republic Act No. 8484 – The Access Devices Regulation Act of 1998

This is the primary special law directly addressing credit card fraud. It defines “access devices” to include credit cards, debit cards, and any card or device that can be used to obtain money, goods, or services.

Prohibited Acts under Section 9 include:

  • Producing, using, or trafficking in counterfeit access devices;
  • Using an access device without the authorization of the owner or issuer;
  • Possessing or using a lost, stolen, expired, or revoked access device;
  • Receiving goods or services obtained through the unauthorized use of an access device.

Penalties (Section 10):

  • Imprisonment of not less than six (6) years and one (1) day but not more than twenty (20) years;
  • Fine of not less than Fifty Thousand Pesos (₱50,000) but not more than One Million Pesos (₱1,000,000);
  • Both, at the discretion of the court.

The law applies extraterritorially if the offense is committed using Philippine-issued cards or if the offender is a Philippine resident.

C. Republic Act No. 10175 – Cybercrime Prevention Act of 2012

When the unauthorized use occurs online (e.g., through hacked accounts, phishing sites, or malware), the Cybercrime Prevention Act applies. Relevant provisions:

  • Section 4(a)(3) – Computer-related fraud: the intentional and unauthorized input, alteration, or deletion of computer data resulting in damage.
  • Section 4(b) – Computer-related offenses, including misuse of devices.

Penalties are higher: prision mayor (6 years and 1 day to 12 years) plus fines up to ₱500,000, with an additional one degree higher if committed against critical infrastructure.

The Supreme Court in Disini v. Secretary of Justice (G.R. No. 203335, 2014) upheld the constitutionality of these provisions, affirming their application to credit card fraud schemes conducted through the internet.

D. Bangko Sentral ng Pilipinas Regulations

BSP Circular No. 808, Series of 2013 (as amended by Circular No. 1108, Series of 2021) mandates:

  • Zero liability for cardholders on unauthorized transactions if reported within 60 days from the statement date (for lost/stolen cards) or 30 days for online fraud.
  • Mandatory fraud monitoring systems by issuers.
  • Card issuers must absorb losses from “card-present” fraud if the merchant failed to verify the card properly (e.g., no PIN or signature).

BSP Circular No. 942, Series of 2017, further requires issuers to provide real-time fraud alerts via SMS or app notifications.

II. Elements of Unauthorized Use

To establish liability, the following must concur:

  1. Existence of a valid credit card issued to a specific person.
  2. Lack of authority – the user is not the cardholder, an authorized representative, or acting under a valid agency.
  3. Act of use – any transaction, whether purchase, cash advance, or balance transfer.
  4. Damage or prejudice – to the cardholder (billing), the issuer (non-payment), or the merchant (chargeback).
  5. Intent – knowledge that the use is unauthorized (presumed from circumstances in most cases).

Mere possession of the card is insufficient; actual or attempted use is required.

III. Who Bears Legal Liability?

A. The Unauthorized User (Primary Offender)

  • Criminal liability: Estafa, violation of RA 8484, and/or cybercrime.
  • Civil liability: Solidary obligation to pay the outstanding balance, interest, penalties, and moral/exemplary damages (Article 2208, Civil Code).
  • Administrative liability: If the offender is a bank employee or merchant, possible revocation of license or blacklisting by the Credit Card Association of the Philippines (CCAP).

B. The Cardholder (Victim)

  • General rule: Zero liability for unauthorized transactions if promptly reported.
  • Exceptions:
    • Gross negligence (e.g., sharing PIN or leaving card unattended in plain view).
    • Failure to report within the prescribed period.
    • Transactions made by an authorized user (spouse, child, employee) unless the authority was revoked in writing.

In BPI v. CA (G.R. No. 112392, 1995), the Supreme Court held that the cardholder’s negligence in safeguarding the card can shift liability, but only up to the point of contributory negligence.

C. The Card Issuer (Bank or Financial Institution)

  • Primary liability: Absorbs losses from fraud under BSP rules unless the cardholder was grossly negligent.
  • Subrogation: After paying the merchant, the issuer steps into the shoes of the merchant and pursues the offender civilly and criminally.
  • Regulatory liability: Fines from BSP for failure to implement adequate security (e.g., 3D Secure, tokenization).

D. The Merchant/Acquirer

  • Liability for card-present transactions: If the merchant accepted a card without proper verification (no signature, no PIN, no photo ID for high-value purchases), the issuer may charge back the transaction.
  • Liability for CNP transactions: Merchants bear the risk unless they use 3D Secure or equivalent authentication.
  • Criminal liability: Possible accessory liability if the merchant knowingly processes fraudulent transactions (money laundering under RA 9160, as amended).

IV. Penalties and Sanctions

Offense Imprisonment Fine (₱) Additional Sanctions
Estafa (RPC Art. 315) 6 months to 20 years (depending on amount) None (but civil indemnity) Restitution, damages
RA 8484 Violation 6 years 1 day to 20 years 50,000 to 1,000,000 Forfeiture of devices
Cybercrime Fraud (RA 10175) 6 years 1 day to 12 years Up to 500,000 One degree higher if critical
Qualified Theft 6 years 1 day to 20 years None Restitution

Multiple transactions are treated as separate offenses if committed on different dates, allowing for multiple informations.

V. Defenses Available to the Accused

  1. Authorization – Proof of consent (text messages, emails, verbal authority corroborated by circumstances).
  2. Mistake of fact – Honest belief that the card was authorized (rarely successful).
  3. Lack of intent – E.g., the user was given the card by a third party who misrepresented ownership.
  4. Prescription – Estafa prescribes in 10–20 years depending on the amount (Art. 90, RPC); RA 8484 follows the same.
  5. Insanity or minority – Standard RPC defenses.

In People v. Sandiganbayan (G.R. No. 169004, 2007), the Court acquitted an accused who proved he was given the card by the owner’s spouse under the presumption of marital authority.

VI. Procedural Aspects: Investigation, Prosecution, and Remedies

A. Reporting the Crime

  1. Immediate notification to the issuer (within 24–48 hours recommended).
  2. Police blotter and affidavit-complaint before the prosecutor’s office.
  3. For online fraud, report to the Philippine National Police Anti-Cybercrime Group (PNP-ACG) or the National Bureau of Investigation (NBI) Cybercrime Division.

B. Prosecution

  • Venue: Where the transaction occurred or where the cardholder resides.
  • Evidence commonly used:
    • CCTV footage;
    • Transaction logs and IP addresses;
    • Sworn statement of the cardholder;
    • Forensic examination of devices.

C. Civil Remedies

  • Independent civil action under Article 33 of the Civil Code (for fraud) may proceed separately from the criminal case.
  • Attachment of properties of the accused to secure recovery.

D. International Dimensions

Philippine authorities cooperate with Interpol and foreign law enforcement under mutual legal assistance treaties. The Philippines is a party to the Budapest Convention on Cybercrime, facilitating cross-border evidence gathering.

VII. Preventive Measures and Regulatory Developments

BSP and the Department of Trade and Industry (DTI) have intensified consumer education. Key requirements include:

  • Chip-and-PIN technology (mandated since 2017);
  • Two-factor authentication for online transactions;
  • Real-time transaction alerts;
  • Mandatory fraud insurance coverage by issuers.

The proposed “Financial Consumer Protection Act” (pending in Congress as of 2025) seeks to further strengthen cardholder rights and impose stricter penalties on negligent merchants.

Jurisprudential Highlights

  • People v. Laguio (G.R. No. 134169, 2000): Conviction for estafa upheld where the accused used a lost credit card to purchase jewelry.
  • Metrobank v. CA (G.R. No. 166197, 2007): Issuer held liable for failing to block a card reported lost within 24 hours.
  • People v. Dela Cruz (G.R. No. 177222, 2008): Online use of stolen card details via a phishing site prosecuted under both RPC and RA 8484.

Conclusion

The unauthorized use of another person’s credit card in the Philippines triggers a multi-layered liability regime designed to protect consumers while deterring fraudsters. The interplay of the Revised Penal Code, RA 8484, RA 10175, and BSP regulations creates a robust framework that holds the primary offender accountable, shields the diligent cardholder, and imposes accountability on issuers and merchants. As technology evolves, so too must enforcement and legislation. Vigilance by all stakeholders—cardholders, banks, merchants, and regulators—remains the most effective safeguard against this insidious crime.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login