Industry Briefing: Security of Internet Payments - Legislative Developments in Europe

Transcription

1 Industry Briefing: Security of Internet Payments - Legislative Developments in Europe

2 Copyright 2015 VASCO Data Security. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks MYDIGIPASS.com, DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All other trademarks or trade names are the property of their respective owners. Any trademark that is not owned by Vasco that appears in the document is only used to easily refer to applications that can be secured with authentication solutions such as the ones discussed in the document. Appearance of these trademarks in no way is intended to suggest any association between these trademarks and any Vasco product or any endorsement of any Vasco product by these trademarks proprietors. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use.

3 Table of Contents Introduction Background Strong Authentication under the EBA Guidelines and PSD2 Enforcement of the EBA Guidelines and PSD2 Conclusions Research Sources About VASCO

4 Introduction Background On December 19, 2014, the European Banking Authority (EBA) published its final guidelines regarding the security of Internet payments. This industry briefing provides an overview of the current regulatory and legislative initiatives within the European Union related to the security of Internet payments, with a special emphasis on upcoming requirements related to strong authentication of both customers and transactions. During the past years, several European governmental and regulatory bodies have taken various legislative and regulatory initiatives regarding the security of Internet and mobile payments across the European Union. The main drivers for these initiatives are the rising level of fraud observed in Internet payments, and security concerns among European citizens. According to the European Central Bank s Third Report on Card Fraud (1) from February 2014, Card-Not-Present (CNP) fraud within the European Union rose to 794 million in 2012, up more than 20% compared to Furthermore, according to the European Commission s Special Eurobarometer on Cyber Security (2) from 2013, about 28% of the European citizens does not feel confident about online banking or shopping. 4

5 In order to provide an answer to rising fraud levels and security concerns, in 2011 the European Central Bank (ECB) created the SecuRe Pay forum, a voluntary cooperation between the 28 national regulators of the European Union. After a period of consultation with parties from both the public and private sector, this forum published its final recommendations (3) for the security of Internet payments in January 2013, followed by a complementary assessment guide (4) in February In November 2013, SecuRe Pay published its recommendations (5) on the security of mobile payments, but these recommendations are still in draft and it is currently not clear whether there are any plans to publish a final version of them. In order to provide a more solid legal basis to the ECB s recommendations on Internet payments, in December 2014 the European Banking Authority (EBA) published its final guidelines (6) on the security of Internet payments, which are almost identical to the ECB s recommendations. Payment Service Providers (PSPs) are expected to comply with these guidelines by August be translated into national law by the various EU member states. PSD2 also tasks EBA with the development of guidelines and technical standards for strong customer authentication, which are expected to become effective 30 months after PSD2. Once PSD2 comes into force, it will supersede the EBA Guidelines. It is remarkable to note that the US government currently does not take any steps similar to the EU. It appears that the EU sees rising fraud levels as a sign of market failure requiring regulators to step in and take corrective action, while the US adopts a laissez-faire policy and leaves it up to the market participants to address the fraud levels themselves. At the same time, the European Commission is reviewing the Payment Services Directive (PSD) together with the European Parliament and the European Council of Ministers. The most recent draft (7) for the new Payment Services Directive ( PSD2 ), which was published in October 2014, contains several articles regarding the security of electronic payments, which seems to cover both Internet and mobile payments. It is expected that PSD2 will come into effect in the Spring of 2015, after which it needs to 5

6 Strong authentication under the EBA Guidelines and PSD2 One of the most critical items in the EBA guidelines is the requirement for PSPs to perform strong customer authentication in order to verify the customer identity before proceeding with an on-line payment, be it through online banking services or internet card payments, or when accessing or altering sensitive payment data. According to the EBA Guidelines, strong customer authentication is a procedure based on the use of two or more of the following elements: i) something only the user knows (knowledge, such as a static password or PIN), ii) something only the user possesses (possession, such as a token, smart card, or mobile phone) and iii) something the user is (inherence, such as a fingerprint). In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet. As an example, a hardware token generating one-time passwords (OTPs) and protected with a PIN would meet this definition of strong customer authentication, as also explained by the ECB s assessment guide. The hardware token represents the possession element, while the PIN is the knowledge element. Both elements are independent, as theft of the hardware token does not compromise the PIN, and vice versa. Additionally one-time passwords are not reusable, and it is not feasible to clone the hardware token. 6

7 PSD2 goes a step further than the EBA Guidelines and, in Article 87 of the current proposal, requires PSPs to perform strong transaction authentication, linking the transaction to a specific amount and a specific payee. As mentioned above, the EBA will provide technical standards detailing the acceptable authentication mechanisms. Although transaction authentication is already common practice in online banking services in many European countries, this requirement presents a significant step for e-commerce services and may impact the check-out processes of e-commerce merchants. Strong Authentication Revisiting the example above, under PSD2 the hardware token would have to be able to calculate a Message Authentication Code (MAC) or digital signature over the transaction s amount, payee, and optionally other transaction-related data. 7

8 Enforcement of the EBA Guidelines and PSD2 EBA Guidelines As mentioned above, the EBA Guidelines will come into effect in August In accordance with Article 16 of the EBA Regulation, competent authorities and financial institutions must make every effort to comply with the guidelines. However, it is possible for competent authorities (e.g. financial regulators, national banks) to decide not to comply with the guidelines. Competent authorities are expected to notify the EBA whether or not they intend to comply within two months after the publication of the translations of the final guidelines. The EBA will subsequently publish notifications from the competent authorities on its website. Hence, in the coming weeks and months it will become clear which competent authorities intend to comply. In this respect it is interesting to note that the British Financial Conduct Authority (FCA) writes (8) that it [ ] will begin to assess firms implementation of these security measures when the updated Payment Services Directive requirements take effect, which seems to signal a delay compared to the August 2015 implementation date. On the other hand the Bank of Spain has confirmed compliance with the guidelines. Differences in attitudes among competent authorities might lead to a segmentation within the EU, with some competent authorities adopting the guidelines and others not. PSD2 will be translated into the national law of the EU member states, and therefore more strictly enforced. 8

9 Conclusions The EBA guidelines on the security of Internet payments will come into effect in August A critical requirement from these guidelines is the adoption of strong customer authentication mechanisms by PSPs. However, it is important that PSPs anticipate the requirements of PSD2, which will most likely additionally require strong transaction authentication. Finally it will be noteworthy to see which competent authorities decide to comply with the EBA Guidelines. One of the primary goals of the EBA Guidelines was to create a levelplaying field for all PSPs across the EU through harmonization of payment security regulation. However if some competent authorities decide not to comply, PSPs might decide to move to member states with the least stringent regulation. 9

10 Research Sources (1) (2) (3) recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf (4) (5) recommendationsforthesecurityofmobilepaymentsdraftpc201311en.pdf (6) rity+of+internet+payments%29.pdf (7) (8) About VASCO VASCO is the world leader in providing two-factor authentication and digital signature solutions to financial institutions. More than half of the Top 100 global banks rely on VASCO solutions to enhance security, protect mobile applications and meet regulatory requirements. VASCO also secures access to data and applications in the cloud, and provides tools for application developers to easily integrate security functions into their web-based and mobile applications. VASCO enables more than 10,000 customers in 100 countries to secure access, manage identities, verify transactions, and protect assets across financial, enterprise, E-commerce, government and healthcare markets. Learn more about VASCO at or visit blog.vasco.com 10