Secure Pay: immediate action required by Internet payment providers
Douwe Lycklama Payments, Article 18-02-2015
On 19 December 2014 European Banking Authority published the 'Final Guidelines on Internet Payment Security". These guidelines cover generic security ‘best practices’ in the area of general control & governance, risk assessment, incident monitoring/reporting, risk control & mitigation and traceability. The most impactful part starts with section 6, on the topic of customer identification and authentication.
The guidelines prescribe that per 1 August 2015 all Internet payments will be required to be strongly (2 factor) authenticated. Customers need to be ‘positively’ identified, conform AML-alike requirements. So risk based approaches are not allowed.
Merchants, PSPs, acquirers and issuers will be confronted with a new reality. Current authentication (such as 3D Secure) will not be enough, because the obligations are extended towards direct debits and credit transfers. Also transactions originated by issuers outside of the EU need to be authenticated by acquirers and/or PSPs. The liability regime will shift to the ‘weakest link’ in the chain, per KC7.6 and footnote 22 of the ECB’s Security of Internet Payments Recommendations. The ECB and the national regulators are responsible for regulating the Card Schemes, and will also be responsible for regulating the liability shift regime.
How does this affect today’s online payments business? Getting clear answers from the authorities all over Europe is challenging, but our analysis leads to the following six points:
PSPs, acquirers and issuers are obliged to facilitate authentication or else they are liable, provided the issuer provides authentication. Liability does not shift to the merchant when he chooses not to authenticate while the PSP is offering it. This is a change from today where the merchant is liable when no authentication is used.
The ‘weakest link’ is determined through a –still to be defined and developed- registry by the card schemes and a technical framework by the EPC.
PSPs and acquirers will have to force their merchants to implement authentication. Failing to do so, might eventually lead to merchants loosing their processing contract from European PSPs and acquirers. Merchants could move to non-EU service providers.
Today’s 3D Secure is not enough because it is one factor and only covers Visa & MasterCard mainly, with very low issuer adoption rates. 3DS will be adapted to 2 factor authentication (2FA) in the coming years, but not in time for August 2015. EMV Co has publicly stated that its framework standard for V2.0 wont be published until end of Q1 2016, which means that deployed solutions may take many years to follow.
The national enforcement of these guideline strongly depends on the local authorities, often central banks or financial services regulators themselves.
Exceptions for 2FA exists for ‘trusted beneficiaries’ (white listed), within banks and low value payments as defined by PSD.
For sure PSPs, acquirers and issuers need to take this seriously. Next to the authentication requirements the guidelines contain requirements for general good security practices, which payment actors have to implement (most of them already have this) and document this towards the authorities as part of their ongoing compliance obligations.
As a general reflection: the adoption of digital identity methods is accelerated through the increasing regulatory requirements. Other regulations requiring digital identity solutions include PSD2, eIDAS, AML and General Data Protection. The 4th AML/CTF directive was just voted by the EU Parliament, and it has transaction monitoring and continuous KYC due diligence requirements.
We can expect more standardisation and interoperability in this space as we do not want to put up users with even more passwords and token issuing processes. Re-use of existing credentials will be key, a.k.a. as ‘reach’ as we know it from the payment world.
|Scooped by Arnaud Crouzet|