31 March 2015
European Union Regulatory Initiatives Impacting the Security of Euro Payments: the 2015 Outlook
This is a guest bog post from Javier Santamaría, Chair of the European Payments Council (EPC).
Regulatory action rolling out in 2015 will determine the foreseeable future with regard to the security of payments in Europe.
The European Commission published its proposal for the revised Payment Services Directive (PSD2) on 24 July 2013. This draft legislative act has been reviewed, respectively, by the European Parliament and the Council of the EU representing EU Member States. During the so-called ‘trilogue’ process, the European Commission, the European Parliament and the Council of the EU will have to agree the final version of the forthcoming PSD2. Provided that there are no delays, it could be adopted later in 2015, and be implemented in national legislation some two years after its adoption.
With the proposed PSD2, the Commission introduces the notion of ‘third party payment service provider (TPP)’, which is relevant, specifically, to the security of payments. TPPs are described in PSD2 as payment service providers (PSPs) pursuing business activities which are based on access to payment accounts provided by a PSP who is not the ‘account servicing’ PSP, in the form of (a) payment initiation services and / or (b) account information services. Payment account access services are now also offered by ‘third-party service providers’ that are often merely non-licensed service providers and not PSPs. Unlike PSPs, non-licensed third-party service providers offering payment account access services are currently not subject to supervisory requirements.
PSD2: no sharing of personalised security credentials with third parties
The European Payments Council (EPC) strongly recommends maintaining the principle that a consumer should never have to share his or her personal security credentials with third parties. This is a pre-condition to ensuring the continued security of consumers’ funds and data in the online banking environment. The European Commission however, proposes abandoning the principle established with Article 56 of the PSD currently in effect that under no circumstances should a consumer share his or her personalised security credentials with third parties. Personalised security features include, for example, passwords and personal identification numbers (PINs) as well as mobile or indexed transaction authorisation numbers (TANs). Third parties are any party other than the account servicing PSP issuing such credentials to the account holder (the consumer).
The EPC stresses that personalised security credentials are developed by an account servicing PSP – and issued to the account holding consumer – to mitigate specific security threats. The risks involved with the sharing of credentials such as, for example, mobile TANs, result from the overall security context in which internet payments are conducted. Generally speaking, it is obvious that risks will increase as more communication channels are involved in a remote payment and the handling of consumer credentials. If the EU lawmaker invites consumers to share their personal credentials with third parties, then consumers would be exposed to, among others, the risk of impersonation, i.e. identity theft. Lowering consumer protection standards would, therefore, decrease security and, in consequence, increase the risk of infringing on privacy.
Weakening the requirement to maintain confidentiality of personalised security credentials would also counteract long-standing efforts carried out by consumer organisations and PSPs to date helping consumers to safely make online payments. Communication with bank customers today, in line with the principles established with the PSD in effect, is based on a clear message: personalised security credentials serve as your firewall against security threats in the online banking environment. Therefore, do not disclose these credentials to third parties. If the EU lawmakers endorse the PSD2 as proposed by the Commission, PSPs would have to communicate to consumers that they may disclose their credentials to some third parties, namely, TPPs operating in accordance with the PSD2. Consumers would have to acquire the expertise required to identify TPPs. Contrary to the stated intentions of the Commission, this appears to put a burden on, and create confusion for, consumers rather than improve their payment experience and promote secure electronic commerce.
Network and Information Security Directive: state of play
In February 2013, the European Commission tabled its proposal for a ‘Directive of the European Parliament and of the Council [of the EU] concerning measures to ensure a high common level of network and information security across the Union’ (NIS Directive). It aims at promoting online security through a combination of voluntary and regulatory measures. The Council of the EU commented on 19 November 2014 that the main outstanding issue concerns the scope of the proposal. Whereas the Council of the EU text would allow EU Member States to assess, on the basis of defined criteria, whether or not certain operators in identified sectors would be subject to the obligations regarding security requirements and incident notifications in the forthcoming NIS Directive, the European Parliament “envisages an approach whereby all operators in all of the sectors identified are subject to the obligations but with a possible varying degree of providing evidence of effective implementation of security policies”. In March 2015, the Council of the EU informed that the “Latvian presidency of the Council is ready to resume informal trilogue meetings with the European Parliament with a view to reaching a deal” on the NIS Directive.
European Banking Authority guidelines on the security of internet payments come into force in August 2015
In October 2014, the European Banking Authority (EBA) published a consultation paper on the implementation of its guidelines on the security of internet payments. The paper was based on the recommendations of the European Forum on the Security of Retail Payments (SecuRe Pay), a voluntary cooperative initiative between relevant authorities from the European Economic Area, which were released in January 2013 with an implementation deadline of 1 February 2015. The conversion of SecuRe Pay recommendations into EBA guidelines was intended to provide a solid legal basis in order to ensure consistent implementation across all EU Member States and to reassure financial institutions that required investment and system changes have a consistent regulatory framework. Following the outcome of the public consultation, the EBA decided to issue its guidelines to come into force in August 2015. The guidelines cover three main categories; the general control and security environment, specific control and security measures for internet payments, and customer awareness, education and communication. An essential element for the EBA guidelines is the reliance on the concept of strong customer authentication.
Considering the plethora of regulatory initiatives aimed at ensuring the security of payments now in the pipeline, the EPC reiterates the need to carefully coordinate efforts with a view to ensure consistency, legal certainty, balance, technology neutrality and a level playing field amongst all players.
This article has previously been published on the EPC blog.