On December 19, 2014, the European Banking Authority (EBA) published its final guidelines regarding the security of Internet payments. This blog post provides an overview of the current regulatory and legislative initiatives within the European Union related to the security of Internet payments, with a special emphasis on upcoming requirements related to strong authentication of both customers and transactions.
During the past years, several European governmental and regulatory bodies have taken various legislative and regulatory initiatives regarding the security of Internet and mobile payments across the European Union.
The main drivers for these initiatives are the rising level of fraud observed in Internet payments, and security concerns among European citizens. According to the European Central Bank’s Third Report on Card Fraud from February 2014, Card-Not-Present (CNP) fraud within the European Union rose to €794 million in 2012, up more than 20% compared to 2008. Furthermore, according to the European Commission’s Special Eurobarometer on Cyber Security from 2013, about 28% of the European citizens does not feel confident about online banking or shopping.
It is remarkable to note that the US government currently does not take any steps similar to the EU. It appears that the EU sees rising fraud levels as a sign of market failure requiring regulators to step in and take corrective action, while the US adopts a “laissez-faire” policy and leaves it up to the market participants to address the fraud levels themselves.
In order to provide an answer to rising fraud levels and security concerns, in 2011 the European Central Bank (ECB) created the SecuRe Pay forum, a voluntary cooperation between the 28 national regulators of the European Union. After a period of consultation with parties from both the public and private sector, this forum published its final recommendations for the security of Internet payments in January 2013, followed by a complementary assessment guide in February 2014. In November 2013, SecuRe Pay published its recommendations on the security of mobile payments, but these recommendations are still in draft and it is currently not clear whether there are any plans to publish a final version of them. In order to provide a more solid legal basis to the ECB’s recommendations on Internet payments, in December 2014 the European Banking Authority (EBA) published its final guidelines on the security of Internet payments, which are almost identical to the ECB’s recommendations. Payment Service Providers (PSPs) are expected to comply with these guidelines by August 2015.
At the same time, the European Commission is reviewing the Payment Services Directive (PSD) together with the European Parliament and the European Council of Ministers. The most recent draft for the new Payment Services Directive (“PSD2”), which was published in October 2014, contains several articles regarding the security of electronic payments, which seems to cover both Internet and mobile payments. It is expected that PSD2 will come into effect in the Spring of 2015, after which it needs to be translated into national law by the various EU member states. PSD2 also tasks EBA with the development of guidelines and technical standards for strong customer authentication, which are expected to become effective 30 months after PSD2. Once PSD2 comes into force, it will supersede the EBA Guidelines.
Strong authentication under the EBA Guidelines and PSD2
One of the most critical items in the EBA guidelines is the requirement for PSPs to perform strong customer authentication in order to verify the customer identity before proceeding with an on-line payment, be it through online banking services or internet card payments, or when accessing or altering sensitive payment data. According to the EBA Guidelines, strong customer authentication is a procedure based on the use of two or more of the following elements: i) something only the user knows (knowledge, such as a static password or PIN), ii) something only the user possesses (possession, such as a token, smart card, or mobile phone) and iii) something the user is (inherence, such as a fingerprint). In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet.
As an example, a hardware token generating one-time passwords (OTPs) and protected with a PIN would meet this definition of strong customer authentication, as also explained by the ECB’s assessment guide. The hardware token represents the possession element, while the PIN is the knowledge element. Both elements are independent, as theft of the hardware token does not compromise the PIN, and vice versa. Additionally one-time passwords are not reusable, and it is not feasible to clone the hardware token.
PSD2 goes a step further than the EBA Guidelines and, in Article 87 of the current proposal, requires PSPs to perform strong transaction authentication, linking the transaction to a specific amount and a specific payee. As mentioned above, the EBA will provide technical standards detailing the acceptable authentication mechanisms. Although transaction authentication is already common practice in online banking services in many European countries, this requirement presents a significant step for e-commerce services and may impact the check-out processes of e-commerce merchants.
Revisiting the example above, under PSD2 the hardware token would have to be able to calculate a Message Authentication Code (MAC) or digital signature over the transaction’s amount, payee, and optionally other transaction-related data.
Enforcement of the EBA Guidelines and PSD2
As mentioned above, the EBA Guidelines will come into effect in August 2015. In accordance with Article 16 of the EBA Regulation, competent authorities and financial institutions must make every effort to comply with the guidelines.
However, it is possible for competent authorities (e.g. financial regulators, national banks) to decide not to comply with the guidelines. Competent authorities are expected to notify the EBA whether or not they intend to comply within two months after the publication of the translations of the final guidelines. The EBA will subsequently publish notifications from the competent authorities on its website.
Hence, in the coming weeks and months it will become clear which competent authorities intend to comply. In this respect it is interesting to note that the British Financial Conduct Authority (FCA) writes that it “[…] will begin to assess firms’ implementation of these security measures when the updated Payment Services Directive requirements take effect”, which seems to signal a delay compared to the August 2015 implementation date. On the other hand the Bank of Spain has confirmed compliance with the guidelines. Differences in attitudes among competent authorities might lead to a segmentation within the EU, with some competent authorities adopting the guidelines and others not.
On the other hand, PSD2 will be translated into the national law of the EU member states, and therefore more strictly enforced.
The EBA guidelines on the security of Internet payments will come into effect in August 2015. A critical requirement from these guidelines is the adoption of strong customer authentication mechanisms by PSPs. However, it is important that PSPs anticipate the requirements of PSD2, which will most likely additionally require strong transaction authentication.
Finally it will be noteworthy to see which competent authorities decide to comply with the EBA Guidelines. One of the primary goals of the EBA Guidelines was to create a level-playing field for all PSPs across the EU through harmonization of payment security regulation. However if some competent authorities decide not to comply, PSPs might decide to move to member states with the least stringent regulation.
Update (April 7, 2015): In the meantime the EBA has clarified that it expects competent authorities to indicate whether or not they intend to enforce the EBA Guidelines by May 5th 2015. The EBA will publish the responses of the competent authorities on its website.
CSSF, the competent authority of Luxembourg, issued a circulaire transforming the EBA Guidelines into national law on February 9th. Similarly, BaFin from Germany issued a request for comments about transposal of the EBA Guidelines on February 4th.
Update (April 29, 2015): FCA, the competent authority of the UK, has published a statement on its website regarding the adoption of the EBA Guidelines. They will essentially adopt the EBA Guidelines at the same time as PSD2.