An Instagram profile page for the digital banking company Lanistar, seen on 24 November 2020, included text which stated “The world’s most secure payment card”.
Two complainants challenged whether the claim “The world’s most secure payment card” was misleading and could be substantiated.
Lanistar Ltd said that their card operated with several safety mechanisms, which they said no other card was able to offer. The first mechanism was a first-person verification on the card itself with a keypad and display screen. The second mechanism was a one-time, dynamic PIN code, that would either expire after use or after 60 seconds from issue, whichever of the two came first. After the actual PIN was inputted directly into the card, it would then be encrypted to generate a single-use PIN which could be used at a point of payment. The third mechanism was a one-time, dynamic CVV2 code, which would either expire after use or 60 seconds from issue, whichever of the two came first. Lanistar said this was again generated by the card using a formula that encrypted the actual four digit PIN input directly into the card, to generate a single-use three digit CVV2 code for use online or over the telephone. The last mechanism was that there was limited account information displayed on the card itself.
Lanistar said that existing card providers relied on a PIN number, which was the main security measure associated for card payments where the card was present. They said this method relied on the user maintaining the secrecy of their PIN; however, they said that the PIN had to be keyed into mechanisms over which the user had no control, and this made the security measure relatively easy to compromise. Lanistar said that when a user sought to make a card-not-present transaction, the static security code shown on the reverse of the physical card operated as an additional security step. However, they said that if the card was stolen, there was everything available to use the card fraudulently. Lanistar said that for devices which had biometric capability, a user relied on protection based on the card and their personal biometric information, both of which could be stolen by a third party. They said that faults had been reported with some biometric readers which allowed access to multiple users in error. Lanistar said that with their card, the card itself and the PIN could not be compromised without the physical card and the knowledge of the PIN. They said the PIN was only ever entered directly into the card by the user in order to generate a one-time PIN valid for one transaction only. Unlike other card providers, the main PIN was never entered into a third-party device. They said it was not possible to conduct a transaction without the card being present and that biometric data was not required.
Lanistar said that if the one-time PIN used for a transaction was compromised, it did not matter because it was not used for future transactions. Lanistar provided documentation referring to a previous version of the payment card, which included a comparison of features against several other payment cards.
There was no information provided alongside the claim “The world’s most secure payment card” and, in that context, the ASA considered consumers would understand it to mean that the features of the Lanistar card were proven to be the most effective at protecting users from fraud compared to payment cards from all other providers.
We understood from Lanistar’s response that the claim was based on their card possessing features that they believed made it more secure than other payment cards. The evidence provided by Lanistar indicated that a range of features of a previous version of the card were not available on six other payment cards. However, the evidence did not appear to relate to the Lanistar card specifically. We also noted that the number of payment cards compared was very limited and that the evidence dated from 2018. We acknowledged that the Lanistar card may have possessed features that were not shared with other payment cards. However, we understood that the card was not yet available to use at the time the ad was published. There was no information, therefore, available that related to how effective the card was at protecting users when used in real life, compared to all other payment cards. Because we considered the evidence was not adequate to substantiate the claim “The world’s most secure payment card”, we concluded that the ad was misleading.
The ad breached CAP Code (Edition 12) rules 3.1 3.1 Marketing communications must not materially mislead or be likely to do so. (Misleading advertising), 3.7 3.7 Before distributing or submitting a marketing communication for publication, marketers must hold documentary evidence to prove claims that consumers are likely to regard as objective and that are capable of objective substantiation. The ASA may regard claims as misleading in the absence of adequate substantiation. (Substantiation) and 3.33 3.33 Marketing communications that include a comparison with an identifiable competitor must not mislead, or be likely to mislead, the consumer about either the advertised product or the competing product. (Comparisons with identifiable competitors).
The ad must not appear again in the form complained about. We told Lanistar Ltd to ensure they held adequate substantiation for claims made in their marketing communications.