Feeds

Euro Central Bank to tighten grip on web cash security

Seeks new standards to protect accounts

The Power of One Infographic

The European Central Bank (ECB) is consulting on new standards to increase the security of internet payments in the European Union.

The draft recommendations (26-page/991KB PDF) incorporate the work of the European Forum on the Security of Retail Payments (SecuRe Pay), which was set up in 2011 to encourage cooperation between the regulators of European payment service providers (PSPs). PSPs, which include banks, credit card providers, and card payment schemes will be expected to implement the recommendations by July 2014.

"The harmonised, minimum security recommendations are expected to contribute to fighting payment fraud and enhancing consumer trust in such services," the ECB said.

Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that the recommendations built on the industry's current system of self-regulation for online payments, and will add a further layer of measures on top existing rules such as the Payment Card Industry's Data Security Standards (PCI DSS). The PCI was set up in 2006 by global payment companies American Express, Discover, JCB, MasterCard and Visa.

"The payment industry has always worked together to try to drive down fraud," he said. "What these recommendations do is enshrine the existing best practice into law, or at least into more binding rules for European payment service providers."

The recommendations cover card payments made on the internet, including virtual card payment, as well as card details registered for use with "wallet solutions" such as Google Wallet. They also apply to electronic payment mandates, including direct debit agreements set up online.

'Cardholder not present' fraud, where the stolen details of a genuine card are used to make a purchase over the internet, by phone or by mail order, is the most common type of online payment fraud. These transactions amounted to over £220m in fraud in 2011 in the UK alone, according to the National Fraud Authority's Annual Fraud Indicator (58-page/470KB PDF).

The document states that transactions should only be initiated following "strong customer authentication". The ECB recommendations require the use of two or more "mutually independent elements" taken from something only the user knows, such as a password, something only the user has, for example a card reader or mobile phone and something only the user "is" – a biometric characteristic such as a fingerprint.

"Where there is no or weak authentication procedure in place, in the event of a disputed transaction PSPs cannot provide proof that the customer has authorised the transaction," the document said. "When strong authentication it used, it is for the issuer to prove that the cardholder has acted with gross negligence or intent."

However, PSPs will be able to consider adopting "less stringent" authentication for outgoing payments to "trusted beneficiaries", such as those included on previously established 'white lists' or accounts subject to similar strong authentication, it said.

The ECB recommends that PSPs perform regularly updated "specific assessments" of the risks associated with providing internet payment services. PSPs should implement "effective processes" for authorising and monitoring transactions, as well as engage customers in education and awareness-raising programmes.

McFadyen said that one of the more interesting proposals contained in the ECB's recommendations was the introduction of a "liability shift" under the Payment Services Directive, under which retailers would accept liability for a fraudulent transaction if the payment provider can show that a payment was properly authorised. This formalises an existing voluntary shift in liability where MasterCard SecureCode or Verified by Visa is used, he said.

"If the recommendations are accepted then retailers will be expected to apply the same standards as payment providers," he said. "Where this could get interesting is in the situation where a bank compensates a customer for fraudulent activity but the product purchased is one that the retailer can easily cancel in the event of fraud, such as an insurance policy."

"PSPs may wish to look at, in these circumstances, how they could "claw back" money from retailers who have not suffered any loss", he said.

The document also recommends that customers sign a "dedicated service contract" before a PSP can authorise any "internet payment transactions" using their account, rather than allow PSPs to include any terms as part of a "broader general service contract" also covering online transactions. McFadyen described this as a "potential practical nightmare" for banks and credit card companies.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

The Essential Guide to IT Transformation

More from The Register

next story
BBC goes offline in MASSIVE COCKUP: Stephen Fry partly muzzled
Auntie tight-lipped as major outage rolls on
iPad? More like iFAD: We reveal why Apple fell into IBM's arms
But never fear fanbois, you're still lapping up iPhones, Macs
Stick a 4K in them: Super high-res TVs are DONE
4,000 pixels is niche now... Don't say we didn't warn you
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
Bose says today is F*** With Dre Day: Beats sued in patent battle
Music gear giant seeks some of that sweet, sweet Apple pie
Philip K Dick 'Nazi alternate reality' story to be made into TV series
Amazon Studios, Ridley Scott firm to produce The Man in the High Castle
There's NOTHING on TV in Europe – American video DOMINATES
Even France's mega subsidies don't stop US content onslaught
You! Pirate! Stop pirating, or we shall admonish you politely. Repeatedly, if necessary
And we shall go about telling people you smell. No, not really
Too many IT conferences to cover? MICROSOFT to the RESCUE!
Yet more word of cuts emerges from Redmond
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.