PSD2: EPC Calls on EU Lawmakers to Maintain the Firewall Protecting Co...

PSD2: EPC Calls on EU Lawmakers to Maintain the Firewall Protecting Consumers Making Internet Payments. This Means: No Sharing of Any Personalised Security Credentials with Third Parties

Update on legislative process leading to the adoption of the revised Payment Services Directive

29 July 14

Share This

The European Union legislative process leading to the adoption of : state of play

The Payment Services Directive (PSD) as currently in effect was adopted by the European Parliament and the Council of the European Union (EU) representing EU governments1 in 2007. According to the European Commission, the PSD aims, among other things, to establish a modern and comprehensive set of rules applicable to all payment services in the EU, and to make cross-border payments as easy, efficient, and secure as national payments within a Member State. The PSD was implemented in most EU Member States by 1 November 2009. Article 87 of the PSD requires the Commission to present a report on the implementation and impact of the PSD together with proposals for its revision by 1 November 2012.

The European Commission published its proposal for on 24 July 2013. (The formal title of this proposed legislative act is “Proposal for a Directive of the European Parliament and of the Council [of the EU] on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC”.)

legislation proposed by the Commission related to payments is considered by the European Parliament’s Economic and Monetary Affairs Committee (ECON) prior to the European Parliament taking a vote on a proposal. The ECON agreed its proposed version of including amendments to the Commission’s proposal on 20 February 2014. The European Parliament approved the final ECON report on at its plenary session on 3 April 2014. However, the European Parliament postponed the vote (in first reading) on the related draft legislative resolution until after the May 2014 European Parliament elections.

The Council of the representing governments is planning to complete its work on in the third quarter of 2014. The Greek Presidency of the Council of the published its compromise text on in June 2014. The Italian Presidency, which took over the six-month rotating presidency of the Council on 1 July 2014, published a second compromise text in July 2014.

In a next step, the Commission, the European Parliament and the Council of the EU will have to agree the final version of the forthcoming . Provided that there are no delays, it could be adopted by the end of this year or early 2015, and be implemented in national legislation some two years after its adoption.

(Sources cited in this article and other related information are included in the ‘related links’ below.)

European Commission introduces the notion of ‘third party payment service provider' with the proposed

With the proposed , the Commission introduces the notion of ‘third party payment service provider ()’. are described in as payment service providers () pursuing business activities which are based on access to payment accounts provided by a who is not the ‘account servicing’ , in the form of (a) payment initiation services and / or (b) account information services.

The focus of the rules proposed with regarding the activities of is mainly on payment initiation services. The Explanatory Memorandum of the states that they “represent a viable and often cheaper payment alternative to card payments, attractive also for consumers who do not dispose of cards”. Instead of payment service users having to provide payment data and personal security credentials each time they buy something online, they could complete a transaction with fewer clicks, while the actually initiates the payment ‘behind the scenes’.

Such ‘payment account access services’ are nothing new. Information on availability of funds in a payer’s account is made available by regulated and supervised , as defined in the PSD, to other with, for example, millions of card transactions every day. These processes are governed by applicable international and national legal regimes and detailed in contractual agreements between the parties involved. The novelty is this: payment account access services are now also offered by ‘third-party service providers’ that are often merely non-licensed service providers and not . This is a more recent development. Unlike , non-licensed third-party service providers offering payment account access services are currently not subject to supervisory requirements.

The fully acknowledges the existence of a market demand for granting third parties access to their online payment services in a regulated and secure way to enable a wider range of payment services to European merchants and consumers. The legislative process leading to the adoption of the provides an excellent opportunity for the EU co-legislators, i.e. the European Parliament and the Council of the EU representing EU governments, to determine the appropriate legal and regulatory framework to foster consumer protection, innovation and competition in the European payments market, while guaranteeing a level playing field between all .

To achieve this goal, the believes that substantial amendments to the Commission’s proposal will have to be agreed in the further dialogue between the co-legislators to ensure the security of bank customers’ funds and data with payment account access services under the forthcoming .

Protecting consumer's funds and data with payment account access services: no sharing of any personalised security credentials with third parties

At a time when everyone is discussing how to increase security and data protection in the digital world, with its proposal for the Commission effectively asks the co-legislators to tear down the ‘firewalls’ protecting consumers when making internet payments. Specifically, the Commission proposes abandoning the principle established with Article 56 of the PSD currently in effect that under no circumstances should a consumer share his or her personalised security credentials with third parties. Personalised security features include, for example, passwords and personal identification numbers (PINs) as well as mobile or indexed transaction authorisation numbers (TANs). Third parties are any party, including those offering payment initiation services, other than the account servicing issuing such credentials to the account holder, i.e. the consumer.

The disapproves of the possibility for to use the personal security credentials of the payment service user, (i.e. the account holder or consumer), to get access to a customer’s account, thus impersonating the account holder. The , therefore, strongly recommends maintaining the principle that a consumer should never have to share his or her personal security credentials with third parties. This is a pre-condition to ensuring the continued security of consumer's funds and data in the online banking environment.

Instead of lowering consumer protection standards, the advocates taking into account the principles outlined in the legal opinion of the European Central Bank on the proposed with regard to consumer protection and open access to payment account services.

Recap: Article 56 of the PSD currently in effect clarifies that personalised security credentials must not be disclosed to third parties

Article 56 of the PSD currently in effect explicitly states that the payment service user (consumer) shall take all reasonable steps to keep his or her personalised security features safe. Clearly, this also means that the account holder cannot share his or her security credentials (such as his/her password) with a third party. Likewise, the account servicing payment service provider is obliged “to make sure that the personalised security features of the payment instrument are not accessible to parties other than the payment service user entitled to use the payment instrument, without prejudice to the obligations on the payment service user set out in Article 56” (Article 57, §1(A) PSD).

In line with the implications of Article 56 PSD currently in effect, educating consumers on security in the area of online (and cards) payments to date is based on this clear message: do not disclose personalised security features to third parties.

Council of the introduces the concept of “re-usable” and “non-reusable” personal security credentials

With its review of the Commission’s proposal, the Council of the representing governments introduced the concept of “re-usable and non reusable” security credentials and considers that consumers may disclose “non-reusable” credentials to third parties. According to the Council of the , “credentials which by their nature are non-specific to an individual authentication session and which might be re-used for other purposes (than the original authentication)” would be considered “re-usable” personal security credentials. (The definition appears to relate to a source made available by the Agency for Network and Information Security; see ‘related links’ below). The Council of the recommends that consumers should not share “re-usable” credentials with parties other than their own account servicing . However, it endorses that consumers may disclose “non-reusable” personalised security credentials to third parties. This concept is based on the (erroneous) assumption that “non-re-usable” credentials would not be vulnerable to being misused.

It is not possible to clearly define – and, for consumers, to distinguish between – “re-usable” and “non-reusable” personalised security credentials which, at any rate, are both vulnerable to misuse if shared with third parties

Difficulty of definition: what are “non-reusable” personalised security credentials?

The points out that there is a broad range of credentials which by their nature are “non-specific to an individual authentication session”, i.e. “re-usable” and therefore, should not be disclosed to third parties according to the concept now considered by the Council of the . Trying to specify what exactly is covered by the terms “re-usable” and “non-reusable” would require a detailed technical analysis of the different solutions in the market. However, such technical descriptions are outside the scope of a European Directive such as the forthcoming , which should remain technology- and solution-neutral.

Sharing “non-reusable” personalised security credentials would add significant complexity to the process of developing such credentials aimed at ensuring the security of consumer’s funds and data

On a general note: personalised security credentials are developed by an account servicing – and issued to the account holding consumer – to mitigate specific security threats identified with a risk analysis. If the lawmakers would endorse a concept which foresees that consumers may share “non-reusable” credentials with third parties offering payment initiation services, in future the following factors would have to be taken into consideration:

  • Transactions are potentially carried out in an unsecure environment and / or using an unsecure device (e.g. PC, mobile phone, etc) and / or consumer devices introduced by third parties not known to the account servicing payment service provider.
  • Means of identification / authentication by all parties, including the consumer, the account servicing and a third party.
  • Use of unsecured open channels (internet, mobile telecommunication network).
  • Proof of consumer consent and ability of validation / verification that the “non-reusable” credentials shared by the consumer with a third party are binding with regard to a specific transaction (including the beneficiary and transaction amount).
  • Level of technical knowledge / understanding by a consumer required to distinguish between “re-usable” and “non-reusable” credentials, familiarity of a consumer with the website or application of his / her own account servicing and awareness of the consumer about phishing attacks and malware.
  • Clear liability model in the event of a consumer’s decision to make use of a third party for payment initiation services and having shared his or her “non-reusable” security credentials with this third party. (In the view of the , under no circumstances should the account servicing be held liable for the mistakes, failures or for specific risks resulting from the sphere of activities of third parties).

Taking into account the factors listed above would add significant complexity to the process of developing “non-reusable” personalised credentials that effectively ensure the security of consumer’s funds and data.

Increased risk exposure of consumers as a result of sharing “non-reusable” personalised security credentials with third parties

The risks involved with the sharing of “non-reusable” consumer credentials such as, for example, mobile TANs result from the overall security context in which internet payments are conducted. Unless the threats listed above are adequately addressed through a holistic security approach, the sharing of “non-reusable” consumer credentials may also lead to an increase of, among others, impersonation attacks, man-in-the middle or man-in-the-browser attacks or relay attacks. Contrary to the assumptions of the Council of the EU, “non-reusable” personalised security credentials could be misused as easily as “re-usable” credentials if shared with third parties. Generally speaking, it is also obvious that risks will increase as more communication channels are involved in a remote payment and the handling of consumer credentials.

Ensuring the adequacy of the security mechanisms implemented in an internet payment system involving third parties would also require a prior analysis and certification from a security perspective of every single solution in the market up to the implementation level. Obviously, this would be a very complex approach, requiring the establishment of an appropriate oversight which would have to be adequately addressed in the forthcoming .

The concept of sharing “non-reusable” security credentials with third parties would make the process too complex for consumers which might result in a lack of trust in online payments

As mentioned above, communication with bank customers today regarding personalised security credentials in line with the principles established with the PSD currently in effect is based on a clear message: these credentials serve as your firewall against security threats in the online banking environment. Therefore, do not disclose personalised security credentials to third parties.

Introducing the concept of “re-usable” and “non-reusable” security credentials requiring consumers to identify what is what, (and what to share or not with third parties), would add a level of complexity which might result in consequences surely not intended by the EU co-legislators: firstly, as opposed to making internet payments more convenient, these would become more cumbersome. Secondly, considering that “non-reusable” personalised security credentials are as vulnerable to misuse as “re-usable” ones are, the concept now contemplated by the Council of the EU might result in a lack of consumer trust in online payments.

reiterates that personalised security credentials – regardless of whether these are “re-usable” or “non-reusable” – should not be shared with third parties

The only way forward to ensure an adequate level of consumer protection with the forthcoming is to maintain trust and guarantee minimal risk exposure for consumers in the area of online payments. This includes establishing a clear liability model based on the principle that consumers must not share any personalised security credentials with any other party than the consumer’s own . This approach allows conveying straightforward security advice to consumers with respect to online payments involving third parties that can easily be understood and adhered to.

invites lawmakers to consider the comments of the European Central Bank on the proposed with regard to consumer protection and open access to payment account services

With its legal opinion on the proposed published in February 2014, the European Central Bank (ECB) states: “In order to combine security requirements and customer protection with the idea of open access to payment account services, the ECB suggests that customers are appropriately authenticated by relying on a strong customer authentication system. could ensure this through either redirecting the payer in a secure manner to their account servicing payment service provider or issuing their own personalised security features. Both options should form part of a standardised European interface for payment account access. This interface should be based on an open European standard and allow any to access payment accounts at any throughout the [European] Union.”

The European Central Bank adds: “The standard could be defined by [European Banking Authority] in close cooperation with the ECB and include technical and functional specifications, as well as related procedures. Furthermore, third party payment service providers should: (a) protect the personalised security features of payment service users they issue themselves; (b) authenticate themselves in an unequivocal manner vis-à-vis the account servicing payment service provider(s); (c) refrain from storing data obtained when accessing payment accounts, apart from information that identifies payments they initiate, such as reference number, payer’s and payee’s IBAN [International Bank Account Number] as well as the transaction amount; and (d) refrain from using data for any purposes other than those explicitly permitted by the payment service user.”

The invites the co-legislators to take these proposals by the European Central Bank into consideration during the ongoing review and further dialogue on the proposed .

Additional key considerations of the with regard to the proposed new set of rules related to the activity of offering payment initiation and / or payment account information services

As previously reported, the has also identified considerable scope for amendments of the proposed with regard to the following aspects related to the activities of :

Authentication

The proposal currently does not seem to provide the certainty that the account servicing will be notified – ex ante – about the consent from the payer in the case of each payment initiation or account information service. Also, in light of the proposed text of the question arises whether the account servicing should carry the burden of proof that a acted with explicit consent of the payment service user. Such burden of proof to the disadvantage of the account servicing would not appear appropriate.

Moreover, the account servicing would not be in a position to comply with its own obligations to safeguard the funds of the payment service user if it would be impossible for the online banking environment to reliably identify in an upfront manner. The , therefore, recommends that should always be able to identify the requesting access to a payment account. The use of for payment account access services must in each single case be visible for all actors involved.

Liability

Whereas there is a demand for simple and fast online payment processes, (customers want to receive the goods and services they order over the internet without delay, merchants want to be paid immediately), the convenience of payment initiation and account information services has its price. Several existing operating models of third party providers expose customers, merchants and account servicing to various risks, for example risks related to weakened authentication (man-in-the-middle attacks, phishing) or to the abuse of (sensitive) payment account information. 

The has noted that the proposed surprisingly provides for a liability for account servicing in the event of a payer’s decision to make use of a for payment initiation services. Or, as Commission representatives have called it on several occasions, the account servicing would be the “first port of call” for the payment service user. Account servicing are neither allowed nor able to control such involvement and yet would be expected to assume responsibility for it vis-à-vis the payer if anything does go wrong (e.g. an unauthorised transaction as a result of involvement). Account servicing may be able to recover their losses from the but the risk and burden of recovery lie with the account servicing (in the event that they are unsuccessful for any reason, such as insolvency of the , or in case of an unsuccessful legal action). As the German Federal Financial Supervisory Authority (BaFin) spelled out in a recent article, the current version of only provides for a minimum capital requirement of 50,000 euros for . BaFin correctly argues that “[I]t is questionable whether this liability base is sufficient given that internet fraud is on the increase and hackers are becoming more and more professional. It is likely that account servicing will be exposed to greater legal and operational risk.”

The is of the opinion that under no circumstances should the account servicing be held liable (take the bill) for the ’s mistakes, failures or for specific risks resulting from the ’s sphere of activities. The only exception to this principle would be in the event of a bilateral or multilateral agreement between the and account servicing concerning the terms of payment order initiations and account information services offered by such .

On top of the shortcomings of the liability regime for account servicing set out above, the proposed Directive would oblige account servicing to grant access to their IT infrastructures and payment account data without financial compensation. As pointed out by BaFin, “the data has an intrinsic value as it allows deep insights into customer behaviour. If are given access to the account data, they could be tempted to capitalise on it.” Therefore, should only be allowed to access payment accounts upon the account holder’s specific instruction and on a case-by-case basis. The purpose of payment account access should be clearly determined and agreed between the and the customer prior to any attempt to access the payment account and the ’s involvement should be limited to the extent necessary to achieve this purpose (‘proportionality principle’).

To be clear, for payment initiation services this should be limited to a simple “yes” or “no” regarding the availability of funds or the confirmation of the receipt of the payment order. Furthermore, in case of account information services, should not use the account information for other purposes, (e.g. for data mining, advertising, credit rating or data re-selling), than those explicitly requested by the account holder. (In this context, refer also to the ‘Final Recommendations for the Security of Payment Account Access Services Following the Public Consultation’ developed by the European Forum on the Security of Retail Payments.)

Authorisation

The recommends that all should be subject to authorisation prior to commencing the provision of their services. Any ‘grandfather rule’, (for currently operational as envisaged under Article 97 of ), should only foresee a limited period of transition – in the interest of the protection of the payment service user.

Under no circumstances should the need for a comprehensive licensing or authorisation regime of be linked to the total amount of payment transactions, (executed annually as envisaged under Article 10 in conjunction with Article 27 of ), wherever the limits are set. Indeed, the number of transactions should not trigger the need for a regulatory oversight and an adequate authorisation regime; instead it should be the risks related to the pursued activity. The mere fact that a third party directly intervenes in the payment transaction chain is of such a nature that should be subject to the same licensing and prudential regime as other in the chain.

calls on legislator to provide the necessary attention to data protection, limiting fraud risk, the identification of roles and related liabilities and the need for a level playing field

When considering amending the PSD, the co-legislators should give the necessary attention to data protection, limiting fraud risk, the identification of roles and related liabilities and the need for a level playing field, all of which constitute prerequisites to stimulating competition and supporting innovation. The draft text agreed by the European Parliament as well as the compromise text issued in June 2014 by the Presidency of the Council of the introduce several changes to the Commission’s proposal. However, additional amendments will have to be agreed in the further dialogue between the co-legislators to ensure the security of bank customers’ funds and data with payment account access services under the forthcoming .

Interim solution would be required to address the current lack of legal framework regarding the licensing of until the revised PSD is fully implemented in Member States

It has to be kept in mind that Directives, such as the forthcoming , lay down certain end results that must be achieved in every Member State. This means: national authorities have to adapt their laws to meet these goals; i.e. have to implement an Directive, but are free to decide how to do so. National implementation measures are texts officially adopted by the authorities in a Member State to incorporate the provisions of an Directive into national law. The Commission proposes that Member States are given two years to implement into national law following (pending) adoption of the final revised Directive by the co-legislators. (By comparison: Regulations have binding legal force throughout every Member State, on a par with national laws, as of an effective date determined by the co-legislators.)

In the view of the , therefore, an interim solution would be required to address the current lack of legal framework regarding the licensing of until the revised PSD is fully implemented in Member States’ legislation and effective.

Don’t throw the baby out with the bathwater. Lowering consumer protection standards risks resulting in the opposite of payment innovation

Lowering consumer protection standards in the area of payment initiation services is not the appropriate means to incentivise innovation and competition to the benefit of payers (consumers) and payees (merchants). Rather, it risks resulting in the opposite of the stated intentions. The has repeatedly stressed: Convenience is a priority; security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two. Anyone with an interest in incentivising payers and payees to embrace innovative payment solutions – regardless of whether these are offered by ‘banks’ or ‘non-banks’, existing or new players – should adhere to the principle of ‘safety first’. The impact of any security breach on consumers’ trust in forward-looking payment technologies will hardly be conducive to realising the Commission’s “Digital Agenda” and vision of Europe being “at the cutting edge of what ‘making a payment’ could mean in the future.”2

Javier Santamaría is the Chair of the .

 

Related links:

EPC Blog (April 2014): PSD2: The New Article 67, (‘Refunds for Payment Transactions Initiated By or Through a Payee’), Proposed by the European Commission Risks Undermining Consumer’s Unconditional Refund Right for Direct Debits Included with the SEPA Direct Debit Core Scheme  

European Commission Website: Directive on Payment Services (PSD)

European Commission (24 July 2013): Proposal for a Revised Payment Services Directive (PSD2) (the formal title of this proposed legislative act is “Proposal for a Directive of the European Parliament and of the Council [of the EU] on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC”)  

European Commission (24 July 2014): Payment Services Directive and Interchange Fees Regulation: Frequently Asked Questions  

European Parliament Economic and Monetary Affairs Committee (ECON) Website  

European Parliament Economic and Monetary Affairs Committee (ECON) (11 March 2014): Report on the Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market and Amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and Repealing Directive 2007/64/EC

Council of the European Union Website

Council of the European Union (27 June 2014): Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market and Amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and Repealing Directive 2007/64/EC - Presidency Compromise

Council of the European Union (23 July 2014): Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market and Amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and Repealing Directive 2007/64/EC - Presidency Compromise

European Union Agency for Network and Information Security (ENISA): ‘Flash Note: EU Cyber Security Agency ENISA; “High Roller” Online Bank Robberies Reveal Security Gaps’ 

European Central Bank (5 February 2014): Opinion on a Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market and Amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and Repealing Directive 2007/64/EC 

European Central Bank: Final Recommendations for the Security of Payment Account Access Services Following the Public Consultation (developed by the European Forum on the Security of Retail Payments)  

BaFin - Federal Financial Supervisory Authority (16 June 2014): Payment Services Directive II: Risks and serious consequences for users and banks. Dr. Josef Kokert, Dr. Markus Held / BaFin section for IT infrastructure of banks

European Parliament Website: Legislative Powers  

European Commission Website: Application of EU Law/Directives  

European Commission Communication: A Digital Agenda for Europe   

 

Related articles in this issue:

SEPA 2.0: an Overview of Regulatory Action Now in the Pipeline Impacting the European Payments Market Going Forward. The European authorities have clarified that migration to harmonised SEPA payment schemes and technical standards does not conclude this EU integration project

Evolution and Oversight of the SCT and SDD Schemes: the Role of the European Commission and of the European Central Bank. The SEPA payment schemes in the legal and regulatory context

 

Related articles in previous issues: 

Card Interchange Fees Regulation: What is the Right Question? A commentary on the European Commission proposal for a new Regulation on interchange fees for card-based payment transactions ( Newsletter, Issue 21, January 2014) 

The Concept of an Open Standard Interface for Controlled Access to Payment Services (CAPS). A commentary: “Access to accounts – why banks should embrace an open future.” ( Newsletter, Issue 21, January 2014)

Newsletter: Articles Published in the Section ‘Legal and Regulatory Issues’

 

The Council of the is the institution where the Member States’ government representatives sit, i.e. the ministers of each Member State with responsibility for a given policy area.

European Commission Press Release (11 January 2012): ‘Breaking down barriers to secure and innovative card, internet and mobile payments’.



Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.