Euro Central Bank to tighten grip on web cash security
Seeks new standards to protect accounts
The European Central Bank (ECB) is consulting on new standards to increase the security of internet payments in the European Union.
The draft recommendations (26-page/991KB PDF) incorporate the work of the European Forum on the Security of Retail Payments (SecuRe Pay), which was set up in 2011 to encourage cooperation between the regulators of European payment service providers (PSPs). PSPs, which include banks, credit card providers, and card payment schemes will be expected to implement the recommendations by July 2014.
"The harmonised, minimum security recommendations are expected to contribute to fighting payment fraud and enhancing consumer trust in such services," the ECB said.
Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that the recommendations built on the industry's current system of self-regulation for online payments, and will add a further layer of measures on top existing rules such as the Payment Card Industry's Data Security Standards (PCI DSS). The PCI was set up in 2006 by global payment companies American Express, Discover, JCB, MasterCard and Visa.
"The payment industry has always worked together to try to drive down fraud," he said. "What these recommendations do is enshrine the existing best practice into law, or at least into more binding rules for European payment service providers."
The recommendations cover card payments made on the internet, including virtual card payment, as well as card details registered for use with "wallet solutions" such as Google Wallet. They also apply to electronic payment mandates, including direct debit agreements set up online.
'Cardholder not present' fraud, where the stolen details of a genuine card are used to make a purchase over the internet, by phone or by mail order, is the most common type of online payment fraud. These transactions amounted to over £220m in fraud in 2011 in the UK alone, according to the National Fraud Authority's Annual Fraud Indicator (58-page/470KB PDF).
The document states that transactions should only be initiated following "strong customer authentication". The ECB recommendations require the use of two or more "mutually independent elements" taken from something only the user knows, such as a password, something only the user has, for example a card reader or mobile phone and something only the user "is" – a biometric characteristic such as a fingerprint.
"Where there is no or weak authentication procedure in place, in the event of a disputed transaction PSPs cannot provide proof that the customer has authorised the transaction," the document said. "When strong authentication it used, it is for the issuer to prove that the cardholder has acted with gross negligence or intent."
However, PSPs will be able to consider adopting "less stringent" authentication for outgoing payments to "trusted beneficiaries", such as those included on previously established 'white lists' or accounts subject to similar strong authentication, it said.
The ECB recommends that PSPs perform regularly updated "specific assessments" of the risks associated with providing internet payment services. PSPs should implement "effective processes" for authorising and monitoring transactions, as well as engage customers in education and awareness-raising programmes.
McFadyen said that one of the more interesting proposals contained in the ECB's recommendations was the introduction of a "liability shift" under the Payment Services Directive, under which retailers would accept liability for a fraudulent transaction if the payment provider can show that a payment was properly authorised. This formalises an existing voluntary shift in liability where MasterCard SecureCode or Verified by Visa is used, he said.
"If the recommendations are accepted then retailers will be expected to apply the same standards as payment providers," he said. "Where this could get interesting is in the situation where a bank compensates a customer for fraudulent activity but the product purchased is one that the retailer can easily cancel in the event of fraud, such as an insurance policy."
"PSPs may wish to look at, in these circumstances, how they could "claw back" money from retailers who have not suffered any loss", he said.
The document also recommends that customers sign a "dedicated service contract" before a PSP can authorise any "internet payment transactions" using their account, rather than allow PSPs to include any terms as part of a "broader general service contract" also covering online transactions. McFadyen described this as a "potential practical nightmare" for banks and credit card companies.
Copyright © 2012, Out-Law.com
Out-Law.com is part of international law firm Pinsent Masons.
Sponsored: Global IT security risks report