Feeds

Euro Central Bank to tighten grip on web cash security

Seeks new standards to protect accounts

Next gen security for virtualised datacentres

The European Central Bank (ECB) is consulting on new standards to increase the security of internet payments in the European Union.

The draft recommendations (26-page/991KB PDF) incorporate the work of the European Forum on the Security of Retail Payments (SecuRe Pay), which was set up in 2011 to encourage cooperation between the regulators of European payment service providers (PSPs). PSPs, which include banks, credit card providers, and card payment schemes will be expected to implement the recommendations by July 2014.

"The harmonised, minimum security recommendations are expected to contribute to fighting payment fraud and enhancing consumer trust in such services," the ECB said.

Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that the recommendations built on the industry's current system of self-regulation for online payments, and will add a further layer of measures on top existing rules such as the Payment Card Industry's Data Security Standards (PCI DSS). The PCI was set up in 2006 by global payment companies American Express, Discover, JCB, MasterCard and Visa.

"The payment industry has always worked together to try to drive down fraud," he said. "What these recommendations do is enshrine the existing best practice into law, or at least into more binding rules for European payment service providers."

The recommendations cover card payments made on the internet, including virtual card payment, as well as card details registered for use with "wallet solutions" such as Google Wallet. They also apply to electronic payment mandates, including direct debit agreements set up online.

'Cardholder not present' fraud, where the stolen details of a genuine card are used to make a purchase over the internet, by phone or by mail order, is the most common type of online payment fraud. These transactions amounted to over £220m in fraud in 2011 in the UK alone, according to the National Fraud Authority's Annual Fraud Indicator (58-page/470KB PDF).

The document states that transactions should only be initiated following "strong customer authentication". The ECB recommendations require the use of two or more "mutually independent elements" taken from something only the user knows, such as a password, something only the user has, for example a card reader or mobile phone and something only the user "is" – a biometric characteristic such as a fingerprint.

"Where there is no or weak authentication procedure in place, in the event of a disputed transaction PSPs cannot provide proof that the customer has authorised the transaction," the document said. "When strong authentication it used, it is for the issuer to prove that the cardholder has acted with gross negligence or intent."

However, PSPs will be able to consider adopting "less stringent" authentication for outgoing payments to "trusted beneficiaries", such as those included on previously established 'white lists' or accounts subject to similar strong authentication, it said.

The ECB recommends that PSPs perform regularly updated "specific assessments" of the risks associated with providing internet payment services. PSPs should implement "effective processes" for authorising and monitoring transactions, as well as engage customers in education and awareness-raising programmes.

McFadyen said that one of the more interesting proposals contained in the ECB's recommendations was the introduction of a "liability shift" under the Payment Services Directive, under which retailers would accept liability for a fraudulent transaction if the payment provider can show that a payment was properly authorised. This formalises an existing voluntary shift in liability where MasterCard SecureCode or Verified by Visa is used, he said.

"If the recommendations are accepted then retailers will be expected to apply the same standards as payment providers," he said. "Where this could get interesting is in the situation where a bank compensates a customer for fraudulent activity but the product purchased is one that the retailer can easily cancel in the event of fraud, such as an insurance policy."

"PSPs may wish to look at, in these circumstances, how they could "claw back" money from retailers who have not suffered any loss", he said.

The document also recommends that customers sign a "dedicated service contract" before a PSP can authorise any "internet payment transactions" using their account, rather than allow PSPs to include any terms as part of a "broader general service contract" also covering online transactions. McFadyen described this as a "potential practical nightmare" for banks and credit card companies.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Boost IT visibility and business value

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Fast And Furious 6 cammer thrown in slammer for nearly three years
Man jailed for dodgy cinema recording of Hollywood movie
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Barnes & Noble: Swallow a Samsung Nook tablet, please ... pretty please
Novelslab finally on sale with ($199 - $20) price tag
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
Primetime precrime? Minority Report TV series 'being developed'
I have to know. I have to find out what happened to my life
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Scale data protection with your virtual environment
To scale at the rate of virtualization growth, data protection solutions need to adopt new capabilities and simplify current features.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?