Providing bank card details does not automatically constitute a payment order
In a ruling dated 10 December 2025, the Commercial Chamber of the Cour de cassation provides an important clarification on the conditions for authorising a remote bank card payment. The ruling, published in the official bulletin and therefore carrying particular significance, reaffirms that in payment transactions, the payer’s consent must be clearly established.
Cass. com., 10 December 2025, No. 24-20.778, Published in the bulletin
The facts giving rise to the dispute
The case originated in a now commonplace situation: a hotel reservation made by telephone. On 5 August 2021, the company RJSAM, represented by its manager Ms G., contacted a hotel to book a room. During this telephone exchange, she provided the number of her bank card as well as the security code on the reverse.
The reservation could not ultimately be honoured, but the hotelier refused to refund the amount debited. The company RJSAM then turned to its bank, CIC, arguing that it had provided its bank details solely for the purpose of securing the reservation and not with the intention of making an immediate payment.
Faced with the bank’s refusal to issue a refund, the company brought proceedings before the Tribunal judiciaire de Paris to obtain reimbursement of the amounts debited.
An unfavourable first-instance decision
On 20 March 2023, the Tribunal judiciaire de Paris dismissed all of the company RJSAM’s claims. In its reasoning, the court considered that it was “not seriously contestable” that the company had voluntarily provided its bank details to the hotelier. It deduced from this, without further analysis, that there had been no unauthorised transaction.
This decision, rendered at final instance, did not allow for an appeal. The company RJSAM therefore filed an appeal on a point of law before the Cour de cassation, arguing that the court had failed to apply the rules governing payment services.
The applicable legal framework
The case lies at the heart of the legal regime governing payment services, codified in Articles L. 133-1 et seq. of the Monetary and Financial Code (Code monétaire et financier). These provisions transpose into French law the European Payment Services Directive (PSD2).
Two articles are particularly relevant:
Article L. 133-6 establishes the fundamental principle that a payment transaction is authorised only if the payer has given consent to its execution. This consent must be given in the form agreed between the payer and their payment service provider.
Article L. 133-7 specifies that in the absence of such consent, the transaction is deemed unauthorised. This classification carries significant consequences, including the obligation for the payment service provider to reimburse the amount of the transaction.
The Cour de cassation’s reversal
The Supreme Court quashed the judgment for insufficient legal basis, meaning that the lower court had failed to properly apply the law.
In its reasoning, the Court first restated the principle: a payment transaction may be initiated by the payer who gives a payment order through the payee. However, this transaction is authorised only if the payer has effectively consented to its execution.
The Court then criticised the lower court for limiting its analysis to the finding that the company RJSAM had “voluntarily provided” its bank details. However, this mere provision of information is not sufficient to establish consent to an immediate payment.
The central point of the ruling lies in the obligation for the court to ascertain whether the payment service provider has established proof of the payer’s effective consent. Since the company RJSAM disputed having consented to an immediate payment, asserting that it had merely provided its details for reservation purposes, the lower court was required to verify whether the bank could provide proof to the contrary.
Lessons from the ruling
This ruling contains several important practical lessons.
The distinction between providing information and giving consent
The Court clearly establishes that a distinction must be drawn between the mere provision of bank details and consent to a payment. In many situations, particularly hotel reservations or car hire bookings, bank details are requested as a guarantee without the customer intending to authorise an immediate debit.
The burden of proof
The ruling implicitly clarifies that the burden of proving the payer’s consent to the disputed transaction falls on the payment service provider. This solution is consistent with the protective logic of the payment services regime.
The express nature of consent
Consent to payment must be clearly established. It cannot be inferred from the mere provision of card data. In the context of a telephone conversation, it would therefore be necessary to ensure that the customer has properly understood that a debit will occur and that they expressly consent to it.
Practical implications
For businesses accepting remote card payments, this ruling requires the implementation of clear procedures to obtain and retain evidence of the customer’s express consent to the payment.
For banking institutions, the ruling serves as a reminder that in the event of a disputed payment transaction, they must be able to demonstrate that the customer effectively consented to the payment, and not merely that they provided their bank details.
For consumers and businesses, this case law provides additional protection against unwanted debits resulting from the provision of bank details for purposes other than immediate payment.
