Euro Central Bank to tighten grip on web cash security
Seeks new standards to protect accounts
The European Central Bank (ECB) is consulting on new standards to increase the security of internet payments in the European Union.
The draft recommendations (26-page/991KB PDF) incorporate the work of the European Forum on the Security of Retail Payments (SecuRe Pay), which was set up in 2011 to encourage cooperation between the regulators of European payment service providers (PSPs). PSPs, which include banks, credit card providers, and card payment schemes will be expected to implement the recommendations by July 2014.
"The harmonised, minimum security recommendations are expected to contribute to fighting payment fraud and enhancing consumer trust in such services," the ECB said.
Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that the recommendations built on the industry's current system of self-regulation for online payments, and will add a further layer of measures on top existing rules such as the Payment Card Industry's Data Security Standards (PCI DSS). The PCI was set up in 2006 by global payment companies American Express, Discover, JCB, MasterCard and Visa.
"The payment industry has always worked together to try to drive down fraud," he said. "What these recommendations do is enshrine the existing best practice into law, or at least into more binding rules for European payment service providers."
The recommendations cover card payments made on the internet, including virtual card payment, as well as card details registered for use with "wallet solutions" such as Google Wallet. They also apply to electronic payment mandates, including direct debit agreements set up online.
'Cardholder not present' fraud, where the stolen details of a genuine card are used to make a purchase over the internet, by phone or by mail order, is the most common type of online payment fraud. These transactions amounted to over £220m in fraud in 2011 in the UK alone, according to the National Fraud Authority's Annual Fraud Indicator (58-page/470KB PDF).
The document states that transactions should only be initiated following "strong customer authentication". The ECB recommendations require the use of two or more "mutually independent elements" taken from something only the user knows, such as a password, something only the user has, for example a card reader or mobile phone and something only the user "is" – a biometric characteristic such as a fingerprint.
"Where there is no or weak authentication procedure in place, in the event of a disputed transaction PSPs cannot provide proof that the customer has authorised the transaction," the document said. "When strong authentication it used, it is for the issuer to prove that the cardholder has acted with gross negligence or intent."
However, PSPs will be able to consider adopting "less stringent" authentication for outgoing payments to "trusted beneficiaries", such as those included on previously established 'white lists' or accounts subject to similar strong authentication, it said.
The ECB recommends that PSPs perform regularly updated "specific assessments" of the risks associated with providing internet payment services. PSPs should implement "effective processes" for authorising and monitoring transactions, as well as engage customers in education and awareness-raising programmes.
McFadyen said that one of the more interesting proposals contained in the ECB's recommendations was the introduction of a "liability shift" under the Payment Services Directive, under which retailers would accept liability for a fraudulent transaction if the payment provider can show that a payment was properly authorised. This formalises an existing voluntary shift in liability where MasterCard SecureCode or Verified by Visa is used, he said.
"If the recommendations are accepted then retailers will be expected to apply the same standards as payment providers," he said. "Where this could get interesting is in the situation where a bank compensates a customer for fraudulent activity but the product purchased is one that the retailer can easily cancel in the event of fraud, such as an insurance policy."
"PSPs may wish to look at, in these circumstances, how they could "claw back" money from retailers who have not suffered any loss", he said.
The document also recommends that customers sign a "dedicated service contract" before a PSP can authorise any "internet payment transactions" using their account, rather than allow PSPs to include any terms as part of a "broader general service contract" also covering online transactions. McFadyen described this as a "potential practical nightmare" for banks and credit card companies.
Copyright © 2012, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Come see the lies inherent in the banking system.
If you can't pay anonymously with it, it's not cash. It's that simple.
The payments industry may dislike fraud collectively, but that hasn't driven them to adopt less horribly broken-as-designed systems in a timely fashion. Why did chip&pin take so long to deploy, and how could it be that a few Cambridge boffins could shoot holes in it in so easily? They were against the best and brightest of that highly-paid breed, banking technologists!
Similarly, why are we still using credit cards, where the pinnacle of security is the addition of three extra digits printed /on the back of the card/? All the "innovation" seems to focus on new ways to part the customer from his money in the name of, well, ease of use I suppose, down to having cards broadcast "im in ur walletz, spendin ur cash". That's internet-age invention for the banking system.
And what is the ECB proposing to do about it? Lock down the client's identity, forwards, backwards, sideways. Overlook that keeping sensitive information is itself a liability. Formalise blaming the merchant. For that's what visa and mastercard already did: Anything goes wrong, reverse the transaction and leave the merchant without product and without payment. How is that an incentive for the payment processors to do better?
Look, you. If you'd wanted to be part of the solution you'd at least tried to figure out how to do electronic payments safely and securely and anonymously both. Fix that, and you needn't protect the system by making the customer or the merchant suffer. That's what you promised to do in the first place, only you're not living up to it. Nice to see the ECB backing this cartel of, oh hey, American-owned large companies.