Security & PCIDSS
5 views | +0 today
Follow
Your new post is loading...
Your new post is loading...
Scooped by Arnaud Crouzet
Scoop.it!

Secure Pay: immediate action required by Internet payment providers

Secure Pay: immediate action required by Internet payment providers | Security & PCIDSS | Scoop.it
Secure Pay: immediate action required by Internet payment providers
Douwe Lycklama Payments,  Article 18-02-2015
On 19 December 2014 European Banking Authority published the 'Final Guidelines on Internet Payment Security". These guidelines cover generic security ‘best practices’ in the area of general control & governance, risk assessment, incident monitoring/reporting, risk control & mitigation and traceability. The most impactful part starts with section 6, on the topic of customer identification and authentication.

The guidelines prescribe that per 1 August 2015 all Internet payments will be required to be strongly (2 factor) authenticated. Customers need to be ‘positively’ identified, conform AML-alike requirements. So risk based approaches are not allowed.

Merchants, PSPs, acquirers and issuers will be confronted with a new reality. Current authentication (such as 3D Secure) will not be enough, because the obligations are extended towards direct debits and credit transfers. Also transactions originated by issuers outside of the EU need to be authenticated by acquirers and/or PSPs. The liability regime will shift to the ‘weakest link’ in the chain, per KC7.6 and footnote 22 of the ECB’s Security of Internet Payments Recommendations. The ECB and the national regulators are responsible for regulating the Card Schemes, and will also be responsible for regulating the liability shift regime.

How does this affect today’s online payments business? Getting clear answers from the authorities all over Europe is challenging, but our analysis leads to the following six points:

PSPs, acquirers and issuers are obliged to facilitate authentication or else they are liable, provided the issuer provides authentication. Liability does not shift to the merchant when he chooses not to authenticate while the PSP is offering it. This is a change from today where the merchant is liable when no authentication is used.
The ‘weakest link’ is determined through a –still to be defined and developed- registry by the card schemes and a technical framework by the EPC.
PSPs and acquirers will have to force their merchants to implement authentication. Failing to do so, might eventually lead to merchants loosing their processing contract from European PSPs and acquirers. Merchants could move to non-EU service providers.
Today’s 3D Secure is not enough because it is one factor and only covers Visa & MasterCard mainly, with very low issuer adoption rates. 3DS will be adapted to 2 factor authentication (2FA) in the coming years, but not in time for August 2015. EMV Co has publicly stated that its framework standard for V2.0 wont be published until end of Q1 2016, which means that deployed solutions may take many years to follow.
The national enforcement of these guideline strongly depends on the local authorities, often central banks or financial services regulators themselves.
Exceptions for 2FA exists for ‘trusted beneficiaries’ (white listed), within banks and low value payments as defined by PSD.
For sure PSPs, acquirers and issuers need to take this seriously. Next to the authentication requirements the guidelines contain requirements for general good security practices, which payment actors have to implement (most of them already have this) and document this towards the authorities as part of their ongoing compliance obligations.

As a general reflection: the adoption of digital identity methods is accelerated through the increasing regulatory requirements. Other regulations requiring digital identity solutions include PSD2, eIDAS, AML and General Data Protection. The 4th AML/CTF directive was just voted by the EU Parliament, and it has transaction monitoring and continuous KYC due diligence requirements.

We can expect more standardisation and interoperability in this space as we do not want to put up users with even more passwords and token issuing processes. Re-use of existing credentials will be key, a.k.a. as ‘reach’ as we know it from the payment world.
more...
No comment yet.
Scooped by Arnaud Crouzet
Scoop.it!

How secure are 'contactless' bank card payments? - utalk

Paying for mobile phone accounts is becoming easier and quicker thanks to developments in the sector. In this edition of U-talk we look at consumers' securit...
more...
No comment yet.
Scooped by Arnaud Crouzet
Scoop.it!

L'Europe des paiements par carte prend corps - Les Échos

L'Europe des paiements par carte prend corps - Les Échos | Security & PCIDSS | Scoop.it
Les Échos L'Europe des paiements par carte prend corps Les Échos Le déploiement de cette plate-forme conçue par l'éditeur de logiciel ACI Universal Payments commencera l'an prochain.
more...
No comment yet.
Rescooped by Arnaud Crouzet from Future Technology
Scoop.it!

OpenSSL bug allows hackers to see private communication

OpenSSL bug allows hackers to see private communication | Security & PCIDSS | Scoop.it
The world hasn’t yet recovered from the Heartbleed vulnerability in OpenSSL and now there’s news of a new bug affecting the popular open-source security package.

Via TechinBiz
more...
No comment yet.
Rescooped by Arnaud Crouzet from Post-Sapiens, les êtres technologiques
Scoop.it!

Comment Berlin est devenue la capitale des hackers

Comment Berlin est devenue la capitale des hackers | Security & PCIDSS | Scoop.it
La capitale allemande est devenue un passage obligé des hackers et activistes du net, en s'imposant comme une anti-Silicon Valley.

Via Jean-Philippe BOCQUENET
more...
No comment yet.
Scooped by Arnaud Crouzet
Scoop.it!

Ingenico: obtention d'une certification 'PCI DSS'. - Daily Bourse

Ingenico: obtention d'une certification 'PCI DSS'. Daily Bourse (CercleFinance.com) - Ingenico a annoncé mercredi que sa solution de chiffrement de bout en bout 'On-Guard' avait obtenu la certification 'PCI DSS'.
more...
No comment yet.
Scooped by Arnaud Crouzet
Scoop.it!

Payment Cards Security Standards Organization Publishes Third-Party Security Assurance Guidance | JD Supra

On August 7, the PCI Security Standards Council (PCI SSC), the open global forum responsible for setting payment security standards, published an information supplement titled...
more...
No comment yet.