Maybe I had a few too many beers the night before but I found the recent EPC blog post, European Union Regulatory Initiatives Impacting the Security of Euro Payments: the 2015 Outlook, a bit confusing! In a nutshell the post highlights some of the key security initiatives that are hitting Europe in 2015. Now payments security is an area that is receiving increasing attention given the global growth in payment fraud and various hack attacks. So I thought it was important to have another read to get the European take on this particularly sensitive area. In addition to this the post is written by Javier Santamaría, the European Payments Council Chair, so its useful to know what he is writing about. This post summarises the 3 key SEPA payments security initiatives that are happening in 2015. This post does not get into the specific details, but includes links to the referenced directives / security guidelines so that you can review them in your own time.
1. Securing SEPA Payments – PSD2 is coming:
The PSD – the Payments Services Directive – specifically is Directive 2007/64/EC of the European Parliament and of the Council. The PSD aims to modernise and standardise payment services in the European Union (EU) by creating the legal foundation for a EU-wide single market for payments. That was in 2007. In 2013 the European Commission published its PSD2 proposal. The final version of PSD2 has to be finalised, according to Javier, PSD2 could be adopted within the next 6 months and implemented into national legislation two years later – i.e. in 2017.
PSD2 proposes a set of rules relating to the activities of third party payment service providers (TPP). The TPP’s are described in the PSD2 as Payment Service Providers (PSP’s) that pursue business activities based on access to payment accounts provided by a PSP who is not the ‘account servicing’ PSP, in the form of:
- Payment initiation services
- Account information services
The EPC is proposing a number of security measures in the PSD2. These measure primarily revolve around the development of security credentials by an account servicing PSP which must be shared with the account holder only. The understanding that a consumer should not have to share his/her personal security details (passwords, PINs, Transaction Authorisation Numbers) with TPP’s.
TPP’s include companies that enable online purchases such as Sofort (Germany), Ideal (The Netherlands), Trustly (Scandinavia) and ApplePay when that hits Europe. The proposed rules relate specifically to payment security.
Further details about PSD2 and TPPs can be found at PSD2: EPC Key Considerations Address Aspects Related to Third Party Payment Service Providers and Article 67 (Refund Rights for Direct Debits).
2. Securing SEPA Payments – Cyber-security or Network and Information Security (NIS) Proposals:
To enable a consistent network and information security model across the EU, in February 2013, the European Commission proposed a ‘Directive of the European Parliament and of the Council [of the EU] concerning measures to ensure a high common level of network and information security across the Union’.
The NIS Directive:
- Aims to promote online security by adopting increased levels of network and information security requirements
- Calls upon the providers to report certain cyber security incidents to regulators and the public
- Seeks to enable cross industry collaboration to combat cyber security
Have a read of the EPC post Tensions in Cyberspace: Competing Priorities and Legislative Initiatives in the Online Payments World which outlines the tensions between regulation and security. The EPC post highlights the difficulties in enabling healthy competition, promoting technology neutrality and innovative solutions on the one hand and ensuring security and privacy of consumers on the other. This is further complicated when you consider the need to comply with a whole raft of regulation.
The final wording of the NIS Directive is still being discussed….
3. Securing SEPA Payments – Security of Internet Payments Guidelines:
First things first, the EBA (European Banking Authority) was created in 2011 to ensure “effective and consistent prudential regulation and supervision across the European banking sector”. Now these guys are important because they have recently released Guidelines on the security of internet payments.
The European Central Bank Third Report on Card Fraud (February 2014) highlights €794 million in fraud losses in 2012, a large and increasing percentage of these fraudulent payments were made via the internet, telephone or post. The EBA published in December 2014 the Final Guidelines on the security of internet payments which indicates the minimum security requirements that PSP’s in the EU must adopt. The Guidelines are based on the recommendations of the European Forum on the Security of Retail Payments (SecuRe Pay) and are expected to be implemented by 1st August, 2015.
We all recognise the need to ensure the security of payments in the SEPA region. But doing this in a simple way that enables payment service providers, third party providers, technology and innovation to flourish remains the challenge. Add to this the numerous set of rules, regulations and directives that are in the pipeline, the interpretation of these rules coupled with the need for a common and consistent framework across the SEPA region further highlights the complexities in securing the way in which we enable SEPA payments today and in the future.
I’d love to hear your thoughts on this post, particularly if you’re impacted by any of the above directives, guidelines, rules or whatever else you want to call them…