Feeds

Euro Central Bank to tighten grip on web cash security

Seeks new standards to protect accounts

Intelligent flash storage arrays

The European Central Bank (ECB) is consulting on new standards to increase the security of internet payments in the European Union.

The draft recommendations (26-page/991KB PDF) incorporate the work of the European Forum on the Security of Retail Payments (SecuRe Pay), which was set up in 2011 to encourage cooperation between the regulators of European payment service providers (PSPs). PSPs, which include banks, credit card providers, and card payment schemes will be expected to implement the recommendations by July 2014.

"The harmonised, minimum security recommendations are expected to contribute to fighting payment fraud and enhancing consumer trust in such services," the ECB said.

Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said that the recommendations built on the industry's current system of self-regulation for online payments, and will add a further layer of measures on top existing rules such as the Payment Card Industry's Data Security Standards (PCI DSS). The PCI was set up in 2006 by global payment companies American Express, Discover, JCB, MasterCard and Visa.

"The payment industry has always worked together to try to drive down fraud," he said. "What these recommendations do is enshrine the existing best practice into law, or at least into more binding rules for European payment service providers."

The recommendations cover card payments made on the internet, including virtual card payment, as well as card details registered for use with "wallet solutions" such as Google Wallet. They also apply to electronic payment mandates, including direct debit agreements set up online.

'Cardholder not present' fraud, where the stolen details of a genuine card are used to make a purchase over the internet, by phone or by mail order, is the most common type of online payment fraud. These transactions amounted to over £220m in fraud in 2011 in the UK alone, according to the National Fraud Authority's Annual Fraud Indicator (58-page/470KB PDF).

The document states that transactions should only be initiated following "strong customer authentication". The ECB recommendations require the use of two or more "mutually independent elements" taken from something only the user knows, such as a password, something only the user has, for example a card reader or mobile phone and something only the user "is" – a biometric characteristic such as a fingerprint.

"Where there is no or weak authentication procedure in place, in the event of a disputed transaction PSPs cannot provide proof that the customer has authorised the transaction," the document said. "When strong authentication it used, it is for the issuer to prove that the cardholder has acted with gross negligence or intent."

However, PSPs will be able to consider adopting "less stringent" authentication for outgoing payments to "trusted beneficiaries", such as those included on previously established 'white lists' or accounts subject to similar strong authentication, it said.

The ECB recommends that PSPs perform regularly updated "specific assessments" of the risks associated with providing internet payment services. PSPs should implement "effective processes" for authorising and monitoring transactions, as well as engage customers in education and awareness-raising programmes.

McFadyen said that one of the more interesting proposals contained in the ECB's recommendations was the introduction of a "liability shift" under the Payment Services Directive, under which retailers would accept liability for a fraudulent transaction if the payment provider can show that a payment was properly authorised. This formalises an existing voluntary shift in liability where MasterCard SecureCode or Verified by Visa is used, he said.

"If the recommendations are accepted then retailers will be expected to apply the same standards as payment providers," he said. "Where this could get interesting is in the situation where a bank compensates a customer for fraudulent activity but the product purchased is one that the retailer can easily cancel in the event of fraud, such as an insurance policy."

"PSPs may wish to look at, in these circumstances, how they could "claw back" money from retailers who have not suffered any loss", he said.

The document also recommends that customers sign a "dedicated service contract" before a PSP can authorise any "internet payment transactions" using their account, rather than allow PSPs to include any terms as part of a "broader general service contract" also covering online transactions. McFadyen described this as a "potential practical nightmare" for banks and credit card companies.

Copyright © 2012, Out-Law.com

Out-Law.com is part of international law firm Pinsent Masons.

Internet Security Threat Report 2014

More from The Register

next story
Facebook pays INFINITELY MORE UK corp tax than in 2012
Thanks for the £3k, Zuck. Doh! you're IN CREDIT. Guess not
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...
Opportunity doesn't knock; it costs us instead
Sysadmin with EBOLA? Gartner's issued advice to debug your biz
Start hoarding cleaning supplies, analyst firm says, and assume your team will scatter
YARR! Pirates walk the plank: DMCA magnets sink in Google results
Spaffing copyrighted stuff over the web? No search ranking for you
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.