Security of Internet Payments: Legislative Developments in Europe

On December 19, 2014, the European Banking Authority (EBA) published its final guidelines regarding the security of Internet payments. This blog post provides an overview of the current regulatory and legislative initiatives within the European Union related to the security of Internet payments, with a special emphasis on upcoming requirements related to strong authentication of both customers and transactions.

Background

During the past years, several European governmental and regulatory bodies have taken various legislative and regulatory initiatives regarding the security of Internet and mobile payments across the European Union.

The main drivers for these initiatives are the rising level of fraud observed in Internet payments, and security concerns among European citizens. According to the European Central Bank’s Third Report on Card Fraud from February 2014, Card-Not-Present (CNP) fraud within the European Union rose to €794 million in 2012, up more than 20% compared to 2008. Furthermore, according to the European Commission’s Special Eurobarometer on Cyber Security from 2013, about 28% of the European citizens does not feel confident about online banking or shopping.

It is remarkable to note that the US government currently does not take any steps similar to the EU. It appears that the EU sees rising fraud levels as a sign of market failure requiring regulators to step in and take corrective action, while the US adopts a “laissez-faire” policy and leaves it up to the market participants to address the fraud levels themselves.

In order to provide an answer to rising fraud levels and security concerns, in 2011 the European Central Bank (ECB) created the SecuRe Pay forum, a voluntary cooperation between the 28 national regulators of the European Union. After a period of consultation with parties from both the public and private sector, this forum published its final recommendations for the security of Internet payments in January 2013, followed by a complementary assessment guide in February 2014. In November 2013, SecuRe Pay published its recommendations on the security of mobile payments, but these recommendations are still in draft and it is currently not clear whether there are any plans to publish a final version of them. In order to provide a more solid legal basis to the ECB’s recommendations on Internet payments, in December 2014 the European Banking Authority (EBA) published its final guidelines on the security of Internet payments, which are almost identical to the ECB’s recommendations. Payment Service Providers (PSPs) are expected to comply with these guidelines by August 2015.

At the same time, the European Commission is reviewing the Payment Services Directive (PSD) together with the European Parliament and the European Council of Ministers. The most recent draft for the new Payment Services Directive (“PSD2”), which was published in October 2014, contains several articles regarding the security of electronic payments, which seems to cover both Internet and mobile payments. It is expected that PSD2 will come into effect in the Spring of 2015, after which it needs to be translated into national law by the various EU member states. PSD2 also tasks EBA with the development of guidelines and technical standards for strong customer authentication, which are expected to become effective 30 months after PSD2. Once PSD2 comes into force, it will supersede the EBA Guidelines.

Tower 42 at 25 Old Broad Street in London, home to the European Banking Authority

Strong authentication under the EBA Guidelines and PSD2

One of the most critical items in the EBA guidelines is the requirement for PSPs to perform strong customer authentication in order to verify the customer identity before proceeding with an on-line payment, be it through online banking services or internet card payments, or when accessing or altering sensitive payment data. According to the EBA Guidelines, strong customer authentication is a procedure based on the use of two or more of the following elements: i) something only the user knows (knowledge, such as a static password or PIN), ii) something only the user possesses (possession, such as a token, smart card, or mobile phone) and iii) something the user is (inherence, such as a fingerprint). In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet.

As an example, a hardware token generating one-time passwords (OTPs) and protected with a PIN would meet this definition of strong customer authentication, as also explained by the ECB’s assessment guide. The hardware token represents the possession element, while the PIN is the knowledge element. Both elements are independent, as theft of the hardware token does not compromise the PIN, and vice versa. Additionally one-time passwords are not reusable, and it is not feasible to clone the hardware token.

PSD2 goes a step further than the EBA Guidelines and, in Article 87 of the current proposal, requires PSPs to perform strong transaction authentication, linking the transaction to a specific amount and a specific payee. As mentioned above, the EBA will provide technical standards detailing the acceptable authentication mechanisms. Although transaction authentication is already common practice in online banking services in many European countries, this requirement presents a significant step for e-commerce services and may impact the check-out processes of e-commerce merchants.

Revisiting the example above, under PSD2 the hardware token would have to be able to calculate a Message Authentication Code (MAC) or digital signature over the transaction’s amount, payee, and optionally other transaction-related data.

Enforcement of the EBA Guidelines and PSD2

As mentioned above, the EBA Guidelines will come into effect in August 2015. In accordance with Article 16 of the EBA Regulation, competent authorities and financial institutions must make every effort to comply with the guidelines.

However, it is possible for competent authorities (e.g. financial regulators, national banks) to decide not to comply with the guidelines. Competent authorities are expected to notify the EBA whether or not they intend to comply within two months after the publication of the translations of the final guidelines. The EBA will subsequently publish notifications from the competent authorities on its website.

Hence, in the coming weeks and months it will become clear which competent authorities intend to comply. In this respect it is interesting to note that the British Financial Conduct Authority (FCA) writes that it “[…] will begin to assess firms’ implementation of these security measures when the updated Payment Services Directive requirements take effect”, which seems to signal a delay compared to the August 2015 implementation date. On the other hand the Bank of Spain has confirmed compliance with the guidelines. Differences in attitudes among competent authorities might lead to a segmentation within the EU, with some competent authorities adopting the guidelines and others not.

On the other hand, PSD2 will be translated into the national law of the EU member states, and therefore more strictly enforced.

Conclusions

The EBA guidelines on the security of Internet payments will come into effect in August 2015. A critical requirement from these guidelines is the adoption of strong customer authentication mechanisms by PSPs. However, it is important that PSPs anticipate the requirements of PSD2, which will most likely additionally require strong transaction authentication.

Finally it will be noteworthy to see which competent authorities decide to comply with the EBA Guidelines. One of the primary goals of the EBA Guidelines was to create a level-playing field for all PSPs across the EU through harmonization of payment security regulation. However if some competent authorities decide not to comply, PSPs might decide to move to member states with the least stringent regulation.

Update (April 7, 2015): In the meantime the EBA has clarified that it expects competent authorities to indicate whether or not they intend to enforce the EBA Guidelines by May 5th 2015. The EBA will publish the responses of the competent authorities on its website.

CSSF, the competent authority of Luxembourg, issued a circulaire transforming the EBA Guidelines into national law on February 9th. Similarly, BaFin from Germany issued a request for comments about transposal of the EBA Guidelines on February 4th.

Update (April 29, 2015): FCA, the competent authority of the UK, has published a statement on its website regarding the adoption of the EBA Guidelines. They will essentially adopt the EBA Guidelines at the same time as PSD2.

Advertenties
Dit bericht werd geplaatst in Uncategorized. Bookmark de permalink .

12 reacties op Security of Internet Payments: Legislative Developments in Europe

  1. Dear Mr. Mennes I found your blog via Google search “strong transaction authentication”. You say
    “PSD2 goes a step further than the EBA Guidelines and, in Article 87 of the current proposal, requires PSPs to perform strong transaction authentication, linking the transaction to a specific amount and a specific payee. ”

    I cannot this in Article 87 of the PSD2 paper form Juli 2013. Can you help me?
    Cheers,
    Bernd Borchert

    • Dear Mr. Borchert,

      Thanks for your feedback. The latest draft of PSD2 dates from October 2014 (see http://data.consilium.europa.eu/doc/document/ST-14314-2014-INIT/en/pdf).

      Article 87.1a says the following:

      “In the case of paragraph 1 (b), for the initiation of remote payment transactions, Member States shall ensure that payment service providers apply strong customer authentication that shall include elements dynamically linking the transaction to a specific amount and a specific payee.”

      This is what is commonly referred to as strong transaction authentication.

      Cheers,

      Frederik

      • Thanks for the reference.

        What do you think, will visualization of the core transaction data also become a part of the definition of strong transaction authentication?
        I think it should. Otherwise, mitm attacks are possible.

        Cheers Bernd Borchett

      • From a security point of view that’s certainly desirable, but I don’t think that will happen. This would be a major hurdle for many e-commerce players.

        The EBA is expected to publish acceptable authentication mechanisms 30 months after publication of PSD2. This will probably shed some more light on this.

        Frederik

      • The “strong customer authentication” is a hurdle anyway …

        If the coming definition of “strong transaction authentication” will not include visualisation then something would be called strong what is not strong.

        There is a follow-up paper of the EBA December paper by German BaFin. It requires not only the dependence on the transaction data but also their visualisation. Could this be seen as a kind of foretelling of the coming definition of “strong transaction authentication”?

        Cheers Bernd Borchert

        http://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Konsultation/2015/kon_0215_sicherheit_internetzahlungen.html?nn=2824884

        Tz 42
        Die wesentlichen Transaktionsdaten müssen in die Generierung der TAN
        eingehen und dem Nutzer unabhängig von der primären Verbindung zum Zahlungs-
        dienstleister angezeigt werden. Die Zwei-Faktor-Authentisierung ist unabhängig von der
        primären Verbindung zum Zahlungsdienstleister auszugestalten.

      • Thanks for the link to BaFin.

        Tz 42 indeed points towards strong transaction authentication, as defined in PSD2, which is a step beyond the EBA Guidelines. However I’m not sure it also says the transaction data has to be displayed on the authentication device itself. The text does not provide a lot of details related to visualization.

        Frederik

      • Hi Frederik, visualisation on the authentication token is too much anyway because it would not include the very strong methods flickercode/ChipTAN (Germany) or Rabobank/Vasco-PhotoTAN: in both cases the visualisation is not on the authentication token (bank card) but on the reading device.
        Let see what definition of “strong transaction authentication” PSD2 brings. Isn’t PSD2 expected already this spring?
        Cheers,
        Bernd Borchert

      • PSD2 is indeed expected to be approved by the European Parliament somewhere this Spring. However since it is a Directive, it subsequently needs to be translated into national law by all EU Member States. This will take another 2 to 3 years. The EBA will also publish its standards about strong authentication mechanisms that are acceptable under PSD2 only 30 months (2.5 years) after the publication of PSD2. So we are looking at the end of 2017 at the earliest …

  2. Derekf zegt:

    Nice write up. Do you by any chance have a link to the FCA statement dated 29 April 2015? I was unable to find this after searching the FCA site.

    • Hi Derek,

      The statement from FCA dates from April 2. It is available at http://www.fca.org.uk/firms/firm-types/payment-services-institutions, and reads as follows:

      The European Banking Authority (EBA) has published its final Guidelines on the Security of Internet Payments. We are fully supportive of the objectives behind the Guidelines and agree with the importance of consumers being protected against fraud when making payments online. Ensuring the security of payments and the protection of sensitive customer data is a critical part of the infrastructure of robust payment systems.

      Many firms already have in place measures for strong customer authentication, and we would remind payment service providers of their responsibility to ensure consumers’ payments are safe and secure. We will be incorporating the detail of the requirements of the Guidelines into our supervisory framework in line with the revised Payment Services Directive (PSD2) transposition timeline.

      Cheers,

      Frederik

  3. Pingback: Security of Internet Payments – Legislative Developments in Europe (Part 2) | Frederik Mennes

  4. Pingback: Strong Authentication for Online and Mobile Banking: Which solutions comply with the Upcoming PSD2 Requirements? | Frederik Mennes

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit / Bijwerken )

Twitter-afbeelding

Je reageert onder je Twitter account. Log uit / Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit / Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit / Bijwerken )

Verbinden met %s