The role of the European Forum on the Security of Retail Payments (SecuRe Pay Forum)
The SecuRe Pay Forum was established in 2011 as a voluntary cooperative initiative between relevant authorities from the European Economic Area; supervisors of payment service providers and overseers in particular. It was formed with the objective of facilitating common knowledge and understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations.
A draft report on the security of internet payments developed by the SecuRe Pay Forum was previously issued for public consultation back in April 2012, followed by a draft report on payment account access services in January 2013.
The European Central Bank published the final version of the ‘Recommendations for the security of internet payments’ (see ‘related links’ below), in January 2013 with an implementation date of 1 February 2015. It is important to note that the final recommendations for the security of internet payments also cover mobile remote payments1 conducted using a standard web browser on a mobile device, since the SecuRe Pay Forum considered their security requirements to be similar to those conducted over the internet via a personal device such as a PC.
European Central Bank issued the draft document ‘Recommendations for the security of mobile payments’ developed by the SecuRe Pay Forum in November 2013 for public consultation
In November 2013, in a press release issued to launch a public consultation on the draft report entitled ‘Recommendations for the security of mobile payments’ (see ‘related links’ below), the Governing Council of the European Central Bank explained:
“The use of mobile devices and technologies for payments creates new risks to the security of payments. There are several reasons for that. First, the current generation of mobile devices and their operating systems was generally not designed with the security of payments in mind. Second, the use of radio technology for the transmission of sensitive payment data and personal data exposes mobile payments to risks that other payments do not entail. Third, compared with traditional payments, mobile payments involve new actors, including mobile network operators. The general public, finally, may be less aware of information security risks when using mobile devices compared with when making internet payments from desktop PCs or laptops at home.”
For the reasons outlined above – and notwithstanding the fact that mobile payments are still at an early stage of development and deployment – the SecuRe Pay Forum prepared draft recommendations for the security of mobile payments (see ‘related links’ below). This work also has the benefit of developing a harmonised European approach to solutions that have the potential to develop more easily than traditional payments, also across national borders.
The scope and purpose of the SecuRe Pay Forum draft ‘Recommendations for the security of mobile payments’
The current draft report, ‘Recommendations for the security of mobile payments’, is the third of its kind developed by the SecuRe Pay Forum. The draft recommendations listed in this SecuRe Pay Forum’s report are applicable to all payment service providers ( ) as defined in the Payment Services Directive (PSD)2 when providing mobile payment services, as well as to governance authorities of payment instrument schemes developing and offering mobile payment services.
The purpose of the latest SecuRe Pay Forum report on the security of mobile payments is to define common minimum requirements for mobile payment services which allow the initiation of payments through a mobile device. The report focuses on payments such as credit transfers, direct debits, e-money transfers and card payments, (including the registration of card payment data for use in ‘wallet solutions’), and so has a demonstrably different focus to the previous reports in this space.
Excluded from the scope of the report are:
- Payments through a mobile device where the customer only uses a standard web browser, (or a mobile banking or payment application that is strictly acting as a proprietary web browser), to access the internet.
- Technologies transforming mobile devices into physical card payment acceptance devices, (e.g. a point of sale (POS) terminal).
- ‘Sticker solutions’, i.e. applying stickers enabled with near field communication (NFC) technology to a mobile device.
- Payment transactions outside the scope of the proposed revised PSD, (as per the legislative proposal of 24 July 2013) – see below for more detail.
- Retail payment clearing and settlement systems3.
Included, however, are both mobile contactless payments and mobile remote payments, as long as they do not use standard web browsers but are, for example, based on mobile apps or mobile wallets accessed via a mobile device.
With regards to the revised PSD ( ), as previously reported in this newsletter, on 24 July 2013 the European Commission published a ‘payments legislative package’, which includes the proposals for a and a new Regulation on interchange fees for card-based payment transactions. The proposal for the and the Regulation on interchange fees for card-based payment transactions, respectively, will have to be adopted by the European Union ( ) co-legislators, i.e. the European Parliament and the Council of the . (The Council of the is the institution where the Member States’ government representatives sit, i.e. the ministers of each Member State with responsibility for a given policy area.)
The draft report’s recommendations
The SecuRe Pay Forum draft report outlines 14 recommendations to promote the security of mobile payments, organised into three categories:
- General control and security environment of the platform supporting the mobile payment service. As part of their risk management procedures, mobile payment solution providers (MPSPs) should evaluate the adequacy of their internal security controls against internal and external risk scenarios. Recommendations in the first category address issues related to governance, risk identification and assessment, monitoring and reporting, risk control and mitigation issues as well as traceability.
- Specific control and security measures for mobile payments. Recommendations in the second category cover all of the steps of payment transaction processing, from access to the service, (customer information, enrolment, authentication solutions), to payment initiation, monitoring and authorisation, as well as the protection of sensitive payment data.
- Customer awareness, education and communication. Recommendations in the third category include customer protection, what customers are expected to do in the event of an unsolicited request for personalised security credentials, how to use mobile payment services safely and, finally, how customers can check that the transaction has been initiated and executed.
The 14 recommendations given in the report are as follows:
- Governance. MPSPs should implement a formal security policy for mobile payment services which is subject to periodic review, monitoring and challenge.
- Risk assessment. MPSPs should identify and assess risks on an ongoing basis (supported by a formal policy and strategy) in order to ensure the security of mobile payments and ancillary services, but also prior to establishing the service(s).
- Security incident monitoring and reporting. MPSPs should ensure the consistent and integrated monitoring, handling and follow-up of security incidents, including security-related customer complaints. MPSPs should establish a procedure for reporting such incidents to management and, in the event of major payment security incidents, to competent authorities.
- Risk control and migration. MPSPs should implement proportionate security measures aligned with the risks in order to mitigate identified risks. These measures should incorporate multiple layers of security, whereby the failure of one line of defense is mitigated by the next line of defense (‘defense in depth’).
- Traceability. MPSPs should have processes in place ensuring that all transactions are logged with an appropriate audit trail.
- Initial customer identification and provision of information. MPSPs should properly identify customers (payers and payees) in line with the European anti-money laundering legislation4 and should obtain the confirmation of their willingness to make and/or to accept mobile payments using the services before being granted access to such services. MPSPs should provide adequate ‘prior’, ‘regular’ or, where applicable, ‘ad hoc’ information to the customer about the necessary requirements, (e.g. equipment features, procedures), for performing and/or accepting secure mobile payment transactions including the inherent risks.
- Strong customer authentication. MPSPs should ensure that the initiation of mobile payments, as well as access to sensitive payment and personal data, is protected by strong customer authentication.
- Enrolment for and provision of authentication tools and/or software. MPSPs should ensure that customer enrolment for and the initial provision of the customer’s authentication tools and/or the delivery of software required to use the mobile payment service is carried out in a secure manner.
- Authentication attempts and time-out. MPSPs should limit the number of log-in or authentication attempts (e.g. wrong personal identification number (PIN) entries), implement time-out controls and set time limits for the validity of authentication.
- Transaction monitoring. MPSPs should operate transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions; suspicious or high-risk transactions should be subject to a specific screening, filtration and evaluation procedure.
- Protection of sensitive payment data and personal data. Sensitive payment data and personal data should be protected when stored, processed or transmitted.
- Customer education and communication. MPSPs should provide assistance and guidance to customers, where needed, with regard to the secure use of mobile payment services. MPSPs should communicate with their customers in a manner that reassures them of the authenticity of the messages received.
- Notifications, setting of limits. MPSPs should set limits for mobile payment services and could provide their customers with options for further risk mitigation within these limits. They may also provide alert and customer profile management services.
- Customer access to information on the status of payment initiation and execution. MPSPs should notify customers of the payment initiation and provide customers with timely information necessary to check that a payment transaction has been correctly initiated and/or executed.
Each recommendation is specified through key considerations. The latter must be read along with the recommendations in order to achieve a full understanding of what is expected as a minimum in order to comply with the security recommendations. Addressees must comply with both the recommendations and the key considerations or be able to explain and justify any deviation from them upon the request of the relevant competent authority. This is known as the ‘comply or explain’ principle.
In addition, the report describes some best practices which addressees, (as well as indirectly the other relevant market participants, such as mobile network operators (MNOs), mobile device manufacturers and mobile device operating system providers), are encouraged to adopt. These play an important role in the achievement of the overall aim to ensure safety of mobile payments as the latter depends on the responsible behaviour of all actors.
The European Central Bank suggests that the recommendations should be implemented by MPSPs by 1 February 2017, two years after the expected publication of the final report, although this date is still to be confirmed. National authorities may wish to define a shorter transition period where appropriate.
Comments of the European Payments Council ( ) on the draft SecuRe Pay recommendations for the security of mobile payments
The welcomes the SecuRe Pay Forum’s initiative, but cautions on the risks of stifling emerging solutions and business models by imposing too detailed security requirements at this early stage. Mobile payments are in their very early days and a good user experience is critical to consumer adoption. It is broadly recognised that the adequate balance between usability and security is critical for the success of any payment method. Security requirements are important for the protection of the consumer and for the integrity of the payment system, but recommendations should be restricted to technology independent security requirements.
Mobile payment solutions may be provided by but also by other – non-regulated – entities (e.g. mobile network operators (MNOs), mobile wallet providers such as merchants or third parties). The suggested security recommendations should apply and be enforced in the same way to all providers involved in order to ensure a level playing field and avoid any regulatory arbitrage in the security area.
This should explicitly include third party providers offering access to account services through mobile payment solutions. It must be noted that although under the proposed these third parties would be subject to all provisions applicable to payment institutions, this is currently not the case. Consequently, the suggested security recommendations should at least propose a mechanism on how to deal with security risks which could result from the fact that certain non-mobile payment service providers are – for the time being – operating in a legal vacuum. It should be avoided that, as a consequence of the current situation, MPSPs would have to bear the burden of proof as regards their liability in cases of fraud or defective execution for transactions directly involving non-regulated third party providers.
Furthermore, many players essential for the security of mobile payments, (such as MNOs and trusted service managers (TSMs5)), are currently not subject to the same supervision and oversight as are. The believes that all providers of mobile payment services should be subject to similar levels of oversight and supervision. Recommendations enforced only by European supervision and oversight bodies would not necessarily apply to non-European players, which could be detrimental to a level playing field and security. This would call for international cooperation in order to establish a global level playing field.
On the other hand, it should be taken into account that MNOs and TSMs operate in a different (security) ecosystem with their own local and/or European supervision and standard bodies, (i.e. the Body of European Regulators for Electronic Communications (BEREC) / the European Telecommunications Standards Institute (ETSI)). To prevent the potential risk of a collision of security measures (due to differences in scope and interpretation) between these ecosystems, the advises the SecuRe Pay Forum to clarify the base line security responsibilities of both ecosystems with regard to relevant key components involved in the delivery of the mobile payment service, (for example, the transfer of customer credentials when a customer changes to another MNO or mobile device).
An overlap is also identified between the recommendations for the security for internet payments and these new draft recommendations for the security of mobile payments, (although the recent ‘Assessment Guide for the Security of Internet Payments’6 reflects the increasing maturity of the security recommendations through more detailed wording). This has an immediate impact on established security processes and could lead to unnecessary differences in defining security processes and requirements for mobile and internet payments.
In addition, the definition of mobile payments used in the draft recommendations for the security of mobile payments is rather broad, encompassing all payments initiated from a mobile device except payments initiated from a web-browser on the mobile or from an app that acts as proprietary browser only. Moreover, it is unclear what the term ‘mobile payment service’, used in the document, exactly covers.
As outlined above, mobile payments have now been addressed in two separate documents, the ‘Recommendations for the security of mobile payments’ and, previously, the ‘Recommendations for the security of internet payments’. This could lead to confusion with respect to the applicability and interpretations of the different documents’ recommendations, (e.g. the difference between using the standard web browser and proprietary web browser).
Moreover, there are concerns in the market that the different handling and interpretation of (principle-based) recommendations by national supervisors in the and European Economic Area could adversely affect cross-border competition. It may result in gaps in the security requirements of mobile payments whereby certain m-payment solutions are not covered. Examples include:
- Mobile banking apps with enhanced mobile capabilities (e.g. QR code scanning, reading of NFC tags) which are likely to fall into the scope of both sets of SecuRe Pay recommendations.
- Mobile banking app with a separate authentication module.
- Mobile commerce apps (e.g. iTunes, Amazon) which may allow for the initiation of the payment in an app, using some pre-defined payment method (like card on file).
- Tablets or mobile devices without a storage facility for user identification data.
- Mobile wallets containing credentials such as card information.
- Mobile wallet apps that may be linked to a payment instrument (such as a card number or account number) held by the customer, where there is no relationship between the wallet provider and the .
Furthermore, it should be noted that remote e- and m-payments are converging due to the fact that the distinction between mobile devices and other remote devices is becoming blurred, (e.g. laptop with universal integrated circuit card (UICC), tablet with only Wi-Fi connection etc). At the same time, the current SecuRe Pay Forum draft document on recommendations for mobile payments covers both mobile remote and mobile contactless payments which have different risk management models. Hence the applicability of some key considerations to both mobile payment types becomes challenging.
Taking into account the above considerations, the has suggested that both sets of the SecuRe Pay recommendations relevant to mobile payments, i.e. those included with the recommendations for the security of internet payments and those included with the recommendations for the security of mobile payments, should be re-structured into two (new) documents as follows:
- One document covering the same recommendations for both remote e- and m-payments. It is recognised that the risk model for remote m-payments is slightly different to remote e-payments and that mobile devices offer additional features compared to PCs. However, this could be reflected in additional key considerations and best practices which are only applicable to remote m-payments.
- One document covering specifically (mobile and card) contactless payments.
In addition, the believes the draft SecuRe Pay recommendations for the security of mobile payments should be reviewed in relation to the following aspects:
- The missing link between strong customer authentication and the authentication of transaction parameters, in particular for high risk transactions.
- Requirements related to PIN and password (e.g. entry in the mobile device).
- Requirements on risk assessment.
- Data protection requirements.
- Incident handling.
- Management of applications and software components for mobile payment services.
- Requirements on the communication channel ‘over the air’ versus NFC.
- Customer support.
The way forward for the security of mobile payments
Mobile technology is developing at a significant pace, and it is important that recommendations are put in place to help the various parties involved in the mobile payments landscape handle the changes. These recommendations must tread a fine line between providing the best possible level of security for those individuals and corporations using mobile payments, whilst not limiting innovation within the sector.
Dag-Inge Flatraaker is the Chair of the M-Channel Working Group.
Related articles in previous issues:
PSD2: EPC Key Considerations Address Aspects Related to Third Party Payment Service Providers and Article 67 (Refund Rights for Direct Debits). EPC identifies considerable scope for amendments to European Commission PSD2 proposal ( Newsletter, Issue 21, January 2014)
EPC Publishes Updated Mobile Wallet Payments White Paper. The revised white paper was released in January 2014 following stakeholder review ( Newsletter, Issue 21, January 2014)
The Concept of an Open Standard Interface for Controlled Access to Payment Services (CAPS). A commentary: “Access to accounts – why banks should embrace an open future.” ( Newsletter, Issue 21, January 2014)
1 Mobile remote payments are payments initiated via a mobile device whereby the transaction is conducted over a network connection (e.g. telecom, Wi-Fi or Bluetooth) and which can be made independently from the payer’s and beneficiary's location.
2 Directive 2007/64/EC of the European Parliament and of the Council [of the ] of 13 November 2007 on payment services in the internal market.
3 Clearing and settlement mechanisms enable the exchange of funds (money) and messages between two payment service providers executing a payment transaction.
4 For example, Directive 2005/60/EC of the European Parliament and of the Council of 26 October 2005 on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing, OJ L 309, 25.11.2005, pp. 15-36. See also Commission Directive 2006/70/EC of 1 August 2006 laying down implementing measures for Directive 2005/60/EC of the European Parliament and of the Council as regards the definition of “politically exposed person” and the technical criteria for simplified customer due diligence procedures and for exemption on grounds of a financial activity conducted on an occasional or very limited basis, OJ L 214, 4.8.2006, pp. 29-34.
5 Trusted service managers (TSMs) facilitate the distribution, configuration and activation of a bank's payment application on the universal integrated circuit card (UICC, also known as a SIM card), within bank customers' near field communication (NFC) handsets.
6 Assessment Guide for the Security of Internet Payments (February 2014) http://www.ecb.europa.eu/pub/pdf/other/assessmentguidesecurityinternetpayments201402en.pdf??b7688d41ec6e6b2105186a1ad83da100.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.