4 PAYMENT CARD SECURITY IN THE CONTEXT OF EUROPEAN HARMONISATION

Transcription

1 4 PAYMENT CARD SECURITY IN THE CONTEXT OF EUROPEAN HARMONISATION The Observatory for Payment Cards Security took note of the development in 2005 of two proposals for harmonising card payments in Europe. In September 2005, the European Payments Council (EPC) a body of the European banking industry developing rules for the interoperability of payment instruments aiming at the creation of a Single Euro Payments Area (SEPA) adopted the SEPA Cards Framework (SCF), a framework for the interoperability of general-purpose payment cards scheduled to become operational in January 2008 and fully-fledged by January In December 2005, the European Commission sent the European Council and the European Parliament its proposal for a Directive on Payment Services in the Internal Market. The draft Directive is intended to harmonise the legal framework for non-cash payments in Europe, whatever of the means of payment and the currency used. As these two projects will have a significant impact on the rules for issuing and using French payment cards, the Observatory examined them from a security point of view. Regarding the SCF, the Observatory welcomes the choice of EMV chip cards as the supporting technology for card payments in Europe. The Observatory nevertheless encourages all of the stakeholders to define specific, harmonised implementation procedures, so that the expected benefits in terms of security can be realised without adverse effects on competition. As for the Directive on payment services, the Observatory welcomes the adoption of a common European legal framework, but feels that the prudential requirements associated with the new statute of payment institutions (which will be authorized to issue and manage means of payment) are not sufficient to ensure financial and legal security for means of payment. 4 1 The SEPA Cards Framework (SCF) The SEPA Cards Framework (SCF) is one of three SEPA initiatives directed by the EPC, the other two being SEPA direct debit (SDD), the creation of a single European payment scheme for direct debit; and SEPA credit transfer (SCT), the creation of a single European payment scheme for credit transfers. The objective of the SCF is to put in place beginning in 2008 and with full implementation in 2010 a single area for card payments in Europe. This initiative is Observatory for Payment Card Security 2005 Report 39

2 aimed at general purpose cards: four-party cards accepted by a large European network of merchants. 14 It will thus be possible to use an SCF-compliant card throughout the SEPA area under the same conditions as in the current national areas. (For example, in France, cards complying with the SCF will benefit from the principle of interbanking, which has been observed in France since the 1980s.) At this stage, three options for achieving that objective are being considered: Exclusive reliance on the international card systems (Visa and Mastercard); Co-branding between domestic card systems and the international systems (as is currently the case for CB cards); The creation of a pan-european card network, constructed from one or more national or international card systems. Implementation of the SCF presupposes harmonisation in the standards and principles governing the functioning of payment cards. The Observatory hopes that this harmonisation will provide an opportunity to reinforce the security of card payments in Europe. The Observatory welcomes the contribution to security made by the framework proposed by the EPC, but considers that more progress still needs to be made in defining common security objectives in the SEPA area, and feels that it should be stated clearly that security cannot be allowed to be a factor in competition. Real progress in terms of security The Observatory considers that implementation of the SCF can have a positive impact on the security of payment cards and can reduce the risk of fraud, especially for cross-border transactions. The SCF's principal contribution to security is the adoption of the EMV chip card (see box 11). The SCF expects that all countries in the SEPA area will have adopted this type of card by The Observatory welcomes this objective, which aims at generalising the use of the Chip and PIN model for payment cards, in which cardholders must identify themselves in each withdrawal or payment transaction by entering their Personal Identification Number (PIN). The chip payment card (used by the French CB four-party card system since 1992) will thus replace the magnetic stripe payment card in all countries of the SEPA area. The Observatory welcomes the prospect that the magnetic technology, which is more fragile in terms of security, would be used less, or even disappear completely, at least from the SEPA area. The Observatory salutes the willingness shown by European banks to strengthen their cooperation in preventing and combating fraud by studying the opportunity and feasibility of a pan-european database of all incidents of card payment fraud within the SEPA 14 I.e. for payments in Euro, the European Union and the European Free Trade Association (EFTA): Switzerland, Norway, Liechtenstein, and Iceland Rapport Observatory for Payment Card Security

3 15 area. Such a database could aid in the fight against fraud and thereby strengthen public confidence in this payment instrument within the SEPA area. Box 11 the EMV chip card EMV is a standard established in the 1990s by three international card systems (Europay, Mastercard, and Visa) to define the interactions between chip cards and payment terminals. The standard is currently managed by the EMVCo consortium, which consists of MasterCard, VISA, and the Japanese JCB system. EMV defines the interaction between the payment card and the terminal at the level of physical and electronic characteristics and of format of data elements to be exchanged. Several different implementations of the EMV standards are possible, and it is therefore possible that national banking industries have chosen different versions, depending on their timetable for migrating to EMV and their specific needs. Most of the EMV implementations identify the cardholder by the entry of a personal code (the Chip and PIN model), although this is not strictly required. Promoting strong security within the SEPA area While the adoption of EMV will improve security in the interaction between payment cards and terminals, the Observatory considers that strengthening the security of card payments also requires: Adopting technical security standards for all types of interaction between the parties to a card transaction: cardholder to terminal, merchant to acquirer, and acquirer to issuer; and Improving the conditions for security certification of cards and terminals. Defining technical security standards for all types of interaction between the parties to a card transaction At present, technical security standards differ considerably from one card payment system to the next. This is a source of inefficiency and vulnerability to fraud whenever transactions pass through several systems (for example, in cross-border transactions). Work on standardisation has been undertaken, particularly in the area of exchanges between cards and terminals (see discussion of EMV, above). However, this work remains incomplete: common standards still need to be defined for the authorisation, acquiring, clearing, and settlement of transactions. The Observatory encourages the standard-setting bodies concerned to complete work on the missing security standards as quickly as possible, and calls upon the EPC to incorporate these standards in the SCF. 15 Indeed, the draft Directive on payment services allows, notwithstanding the Directive on data protection, the processing of personal data by payment systems and payment services providers, for the sole purpose of preventing and combating fraud. Observatory for Payment Card Security 2005 Report 41

4 Security certification The SCF calls for harmonisation in the methodologies for security certification (of cards, terminals, etc.), but does not provide any details on how this is to be achieved. There is therefore a risk of 'harmonisation to the lowest common denominator'. This could result in marked disparities between national card systems, and could even confer a competitive advantage to those countries that choose to install less secure and therefore less costly equipment. Cardholders could be exposed to a greater risk of fraud in countries that have equipment which is more easily converted to fraudulent use, even though the cards conform to the common EMV standard. This possibility is a source of concern to the Observatory, which notes that the current French CB four-party card system is based on stringent certification methods. Cards, terminals, and other elements of the card system are initially subjected to a functional certification by the manager of the system. This functional certification specifies the level of security of the components which the manager wishes to use for its cards. It is supported by an external evaluation and certification to verify that this level has been achieved. In France, the evaluation and certification process for cards is an element of a national scheme administered by the Central Directorate for Information System Security (Direction centrale de la sécurité des systèmes d information DCSSI), which reports to the General Secretary for National Defence. These evaluations are governed by a set of international security standards, known as the Common Criteria (see box 12), which have been adopted by the principal industrialised countries (France, the United States, Germany, the United Kingdom and Japan, among others). There are two international agreements for recognising certificates issued as a result of an evaluation conducted according to the Common Criteria: The Common Criteria Recognition Arrangement (CCRA), an agreement which is open to all countries worldwide, but which introduces limits on recognition (in other words, because this agreement is limited to evaluations conducted for an average level of security requirements, and provides only an elementary defence against attacks). Ten countries are currently recognised under this agreement as being able to evaluate and certify products (but others are willing to be recognised). The Senior Officials Group for Information Security (SOG-IS) agreement, a European agreement to which 11 countries of the European Union and EFTA are currently signatories. 16 The SOG-IS agreement does not introduce any limits on the mutual recognition of evaluations conducted in different countries. It therefore applies to evaluations conducted on the basis of stringent security requirements, like those currently in force in France for CB payment cards. Three countries are currently recognised under this agreement as being able to evaluate and certify products: France, Germany, and the United Kingdom. In practice, only Germany and France 16 Germany, France, the United Kingdom, Spain, Finland, Italy, Greece, Norway, the Netherlands, Portugal, and Sweden Rapport Observatory for Payment Card Security

5 evaluate and certify cards for a high level of protection against attacks. This situation could change in the medium term: other countries (for example the Netherlands, Spain, and Norway) could ask to for recognition of their certificates under this agreement. Box 12 the Common Criteria The international standard known as the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) is the result of the unification of three older standards: a European standard developed in the beginning of the 1990s (ITSEC), an older American standard (TCSEC), and a Canadian standard (CTCPEC). In contrast with other information security standards, the Common Criteria do not define a set of rules with which information processing products must comply. Instead, they establish a framework in which users can formulate their security requirements and providers can demonstrate that their products satisfy those requirements. In other words, the Common Criteria make it possible to ensure that the processes for specifying security requirements, for developing products, and for evaluating their security, are carried out in the most rigorous manner possible. The Common Criteria methodology is based on three main concepts: the Protection Profile (PP), a document which expresses the security requirements of a community of users; the Security Target (ST), a document (typically drawn up by the provider of the product) which describes the product's security characteristics and lists the protection profiles which the product purports to satisfy; the Evaluation Assurance Level (EAL), which documents all of the measures that have been taken to comply with security functionalities. The assurance levels define the level of security requirement, and range from level EAL-1 (the least stringent) to level EAL-7 (the most stringent and also the most costly). These assurance levels consist of requirements in seven different classes of assurance: configuration management (ACM), delivery and operation (ADO), development (ADV), guidance documents (AGD), life cycle support (ALC), tests (ATE), and vulnerability assessment (AVA). Micro-processors used in co-branded Visa or Mastercard CB cards are also subjected to a security evaluation by the laboratories of each of these international networks. In European countries which do not have a national scheme, this evaluation by Visa and Mastercard is the only evaluation that takes place for international payment cards. Mastercard recognises the evaluations conducted within the framework of the French national scheme, under the authority of the DCSSI, so that French co-branded Mastercard cards do not need to undergo a specific evaluation by Mastercard. The Observatory considers it essential that the security for cards, terminals, and other elements of card systems should be maintained at a very high level for SCF-compliant cards. To that end: The managers of card systems should submit their cards, terminals, and other elements of their systems to stringent common security requirements. The Observatory takes note of the initiative developed by several European card systems, known as the Common Approval Scheme (CAS), to develop such security Observatory for Payment Card Security 2005 Report 43

6 requirements for cards, payment terminals, and eventually for other elements of card payment systems. This useful initiative needs only to be adopted by the EPC in order to become a standard operating procedure applicable to all SCF-compliant card systems. Evaluations and certificates should be standardised. There are several ways of achieving this: For cards assuming that the level of security is equivalent to the current level in France uniformity could be guaranteed by enlarging the SOG-IS agreement, which has already been adopted by almost half of all EU Member States. However, this assumes that these countries would be willing to accept that their payment cards should be evaluated by the French, German, or United Kingdom national schemes, which for the time being are the only national schemes recognised for purposes of evaluation and certification under the agreement. For terminals, the level of security targeted will probably be much weaker than the level targeted for cards (the need for security is not the same). If the Common Criteria are used to evaluate this equipment, all of the countries that are signatories to either the CCRA or the SOG-IS agreement and that have a national certification scheme could evaluate and certify terminals. Community legislation could establish equivalency criteria (including transparency requirements) between the public and private evaluation processes used by card systems in each country. It would be important that all of the laboratories that conduct security evaluations within the SEPA area should possess similar levels of expertise. The Observatory notes that the European Commission proposed a provision along these lines in version four of its draft Directive. This provision was subsequently dropped, but could be supported. Mutual recognition in Europe could be instituted by establishing an ad hoc structure administered by the European banks (self-regulation). 4 2 The Legal Framework for Payment Services in Europe The Observatory is pleased with the efforts of the European Commission to establish a harmonised legal framework for payments in Europe that could ease the establishment of SEPA. The draft Directive confirms the principle that the user's responsibility for losses that occur before he has reported the loss or theft of his card is limited to 150 euros, and that the user has no pecuniary responsibility for losses that occur as the result of unauthorized payments. These principles are already embodied in French law. However, the Observatory considers that three points in the draft Directive require particular attention: The creation of a third category of payment service provider known as payment institutions; The methods for applying the Directive to payment cards; The definition of the principle of irrevocability Rapport Observatory for Payment Card Security

7 The creation of a specific license for payment institutions The creation of a specific licence for payment institutions responds to a legitimate competitive concern, and from that point of view appears desirable. However, the content of the license is very vague, and the absence of substantial prudential requirements means that the security of funds entrusted by users to payment institutions is not guaranteed. In addition, the ability of payment institutions to obtain direct access to card payment systems (card issuance, acquiring of transactions, connection to electronic card networks, clearing and settlement, etc.), or even to manage them directly, could constitute a risk factor if those institutions do not have sufficient financial guarantees and if they are not adequately supervised. The Observatory also notes that the draft Directive liberalises functions that are currently reserved in France to credit institutions, such as the acquiring of card payment transactions. This could considerably alter the position of actors in the payment chain, by placing acquiring business within the scope of activity of service providers who are not subject to the prudential safeguards that apply to credit institutions. Application of the Directive to payment cards The Observatory feels that the application of certain provisions of the draft Directive to payment cards needs to be clarified. In particular, the current text is vague on the question of whether the threshold of 50 euros for micro-payments (related to information requirements and execution times) applies only to contracts under which no individual transaction can exceed 50 euros (art. 38-1) or, by extension, to any payment below 50 (art. 59). Since the median value of card transactions (approximately 46 euros) lies below that threshold, a policy of applying the threshold to each individual transaction would treat almost half of all payments and withdrawals as 'exceptions'. Other definitions also need to be clarified, such as the definition of the date of payment acceptance, which determines the moment at which payment becomes irrevocable and fixes the starting point for execution times for card transactions, set in the draft Directive at D+1 in The definition of irrevocability The Observatory notes that the definition of irrevocability in the draft Directive is ambiguous. This lack of precision (for example, concerning the date of payment acceptance and the methods for administering the right to reimbursement for remote sales) could challenge legal and contractual arrangements in force in most countries. In France, for example, payment is considered final and irrevocable from the moment the cardholder enters his confidential code. The Observatory would like these points to be clarified, in order to ensure the legal security of card payment transactions and to guarantee the smooth functioning of card systems. Observatory for Payment Card Security 2005 Report 45

8 4 3 Recommendations The Observatory considers that the development of a European framework for card payments raises major security issues, and urges French card issuers to maintain a high level of security for payment cards that will be used in the SEPA area. Since this objective is based on Community standards relating to security, the Observatory invites the EPC to incorporate into the SCF the security standards that are currently missing in the areas of authorisation, acquiring, clearing, and settlement of card transactions, and to consider adopting the Common Approval Scheme, which could become a standard operating procedure applicable to all SCF-compliant card systems. Since this initiative is likely to receive the support of European authorities, the Observatory thinks that the European Commission, as well as the Council and the European Parliament, should consider the possibility of laying out in legislation the criteria for determining the equivalence between the public and private evaluation processes used by card systems in each country. Finally, the Observatory stresses the importance of the operational and financial risks posed by the new class of payment institutions, which could soon be authorised to provide payment services under the terms of the draft Directive that is currently being examined by the Council and the European Parliament. The Observatory therefore recommends strengthening both the prudential requirements that apply to these institutions and the methods for supervising them Rapport Observatory for Payment Card Security