On 24 July 2013 the European Commission (the Commission) published its proposal for a revised Payment Services Directive (). This draft legislative act remains subject to review and adoption, respectively, by the European Union (EU) co-legislators. These are the European Parliament and the Council of the EU. (The Council of the EU is the EU institution where the EU Member States’ government representatives sit, i.e. the ministers of each EU Member State with responsibility for a given policy area.)
The Commission stated in its related ‘Frequently Asked Questions’ that its proposal for aims, among other things, to “take account of new types of payment services (such as payment initiation services offered in the context of e-commerce)” and to ensure “a high level of consumer protection and of payments security”. It is the task of the European Parliament and the Council of the EU to determine whether the new rules related to payment initiation or payment account information services proposed by the Commission indeed ensure a high level of consumer protection and payments security.
In the view of the European Payments Council (), this is not the case. Rather, at a time when everyone is discussing how to increase security and data protection in the digital world, the Commission effectively asks the EU co-legislators to tear down the ‘firewalls’ protecting consumers when making internet payments. Specifically, the Commission proposes abandoning the principle established with Article 56 of the PSD currently in effect that under no circumstances should a consumer share his or her personalised security credentials with third parties. Personalised security features include, for example, passwords and personal identification numbers (PINs) as well as mobile or indexed transaction authorisation numbers (TANs). Third parties are any party, including those offering payment initiation services, other than the account servicing payment service provider issuing such credentials to the account holder, i.e. the consumer.
The strongly recommends maintaining the principle that a consumer should never have to share his or her personal security credentials with third parties. This is a pre-condition to ensuring the continued security of consumer’s funds and data in the online banking environment.
This blog addresses considerations with regard to the sharing of personalised security credentials now discussed by the working party of the Council of the tasked to review the proposed . The working party introduced the concept of “re-usable and non-reusable” security credentials and considers that consumers may disclose “non re-usable” credentials to third parties.
The believes that it is not feasible to clearly define – and, for consumers, to distinguish between – “re-usable” and “non-reusable” credentials. Consequently, the emphasises that the principle to not disclose personalised security credentials should continue to apply with regard to any such credentials regardless of whether these are “re-usable” or not.
Instead of lowering consumer protection standards, the advocates taking into account the principles outlined in the legal opinion of the European Central Bank on the proposed with regard to consumer protection and open access to payment account services.
(Sources cited in this blog and other related information are included in the ‘related links’ below.)
Recap: Article 56 of the PSD currently in effect clarifies that personalised security credentials must not be disclosed to third parties
The existing PSD was implemented in most Member States by November 2009. Article 56 of the PSD currently in effect explicitly states that the payment service user (consumer) shall take all reasonable steps to keep its personalised security features safe. Clearly, this also means that the account holder cannot share his or her security credentials (such as his/her password) with a third party. Likewise, the account servicing payment service provider is obliged “to make sure that the personalised security features of the payment instrument are not accessible to parties other than the payment service user entitled to use the payment instrument, without prejudice to the obligations on the payment service user set out in Article 56” (Article 57, §1(A) PSD).
In line with the implications of Article 56 PSD currently in effect, educating consumers on security in the area of online (and cards) payments to-date is based on this clear message: do not disclose personalised security features to third parties.
It is not possible to clearly define – and, for consumers, to distinguish between – “re-usable” and “non-reusable” personalised security credentials which, at any rate, are both vulnerable to misuse
As mentioned above, the working party of the Council of the , tasked with reviewing the proposed , considers introducing the concept of “re-usable” and “non re-usable” personalised security features. According to the working party, “credentials which by their nature are non-specific to an individual authentication session and which might be re-used for other purposes (than the original authentication)” would be considered “re-usable” personal security credentials. (The definition appears to relate to a source made available by the Agency for Network and Information Security; see ‘related links’ below). The Council’s working party recommends that consumers should not share “re-usable” credentials with parties other than their own account servicing payment service provider. However, the working party endorses that consumers may disclose “non re-usable” personalised security credentials to third parties. This concept is based on the (erroneous) assumption that “non re-usable” credentials would not be vulnerable to being misused.
Difficulty of definition: what are “non re-usable” personalised security credentials?
The points out that there is a broad range of credentials which by their nature are “non-specific to an individual authentication session”, i.e. “re-usable” and therefore, should not be disclosed to third parties according to the concept now considered by the working party of the Council of the . Trying to specify what exactly is covered by the terms “re-usable” and “non re-usable” would require a detailed technical analysis of the different solutions in the market. However, such technical descriptions are outside the scope of a European Directive such as the forthcoming , which should remain technology- and solution-neutral.
Sharing “non re-usable” personalised security credentials would add significant complexity to the process of developing such credentials aimed at ensuring the security of consumer’s funds and data
On a general note: personalised security credentials are developed by an account servicing payment service provider – and issued to the account holding consumer – to mitigate specific security threats identified with a risk analysis. If the lawmakers would endorse a concept which foresees that consumers may share “non re-usable” credentials with third parties offering payment initiation services, in future the following factors would have to be taken into consideration:
- Transactions are potentially carried out in an insecure environment and / or using an insecure device (e.g. PC, mobile phone, etc) and / or consumer devices introduced by third parties not known to the account servicing payment service provider.
- Means of identification / authentication by all parties, including the consumer, the account servicing payment service provider and a third party.
- Use of unsecured open channels (internet, mobile telecommunication network).
- Proof of consumer consent and ability of validation / verification that the “non re-usable” credentials shared by the consumer with a third party are binding with regard to a specific transaction (including the beneficiary and transaction amount).
- Level of technical knowledge / understanding by a consumer required to distinguish between “re-usable” and “non re-usable” credentials, familiarity of a consumer with the website or application of his / her own account servicing payment service provider and awareness of the consumer about phishing attacks and malware.
- Clear liability model in the event of a consumer’s decision to make use of a third party for payment initiation services and having shared his or her “non re-usable” security credentials with this third party. (In the view of the , under no circumstances should the account servicing payment service provider be held liable for the mistakes, failures or for specific risks resulting from the sphere or activities of third parties.)
Taking into account the factors listed above would add significant complexity to the process of developing “non re-usable” personalised credentials that effectively ensure the security of consumer’s funds and data.
The risks involved with the sharing of “non re-usable” consumer credentials such as, for example, mobile TANs result from the overall security context in which internet payments are conducted. Unless the threats listed above are adequately addressed through a holistic security approach, also the sharing of “non re-usable” consumer credentials may lead to an increase of, among others, impersonation attacks, man-in-the middle or man-in-the-browser attacks or relay attacks. Contrary to the assumptions of the Council’s working party, “non re-usable” personalised security credentials could be misused as easily as “re-usable” credentials if shared with third parties. Generally speaking, it is also obvious that risks will increase the more communication channels are involved in a remote payment and the handling of consumer credentials.
Ensuring the adequacy of the security mechanisms implemented in an internet payment system involving third parties would also require a prior analysis and certification from a security perspective of every single solution in the market up to the implementation level. Obviously, this would be a very complex approach, requiring the establishment of an appropriate oversight which would have to be adequately addressed in the forthcoming .
The concept of sharing “non re-usable” security credentials with third parties would make the process too complex for consumers which might result in a lack of trust in online payments
As mentioned above, communication with bank customers today regarding personalised security credentials in line with the principles established with the PSD currently in effect is based on a clear message: these credentials serve as your firewall against security threats in the online banking environment. Therefore, do not disclose personalised security credentials to third parties.
Introducing the concept of “re-usable” and “non re-usable” security credentials requiring consumers to identify what is what, (and what to share or not with third parties), would add a level of complexity which might result in consequences surely not intended by the co-legislators: firstly, as opposed to making internet payments more convenient, these would become more cumbersome. Secondly, considering that “non re-usable” personalised security credentials are as vulnerable to misuse as are “re-usable” ones, the concept now contemplated by the working party of the Council of the might result in a lack of consumer trust in online payments.
reiterates that personalised security credentials – regardless of whether these are “re-usable” or “non re-usable” – should not be shared with third parties
The only way forward to ensure an adequate level of consumer protection with the forthcoming is to maintain trust and guarantee minimal risk exposure for consumers in the area of online payments. This includes establishing a clear liability model based on the principle that consumers must not share any personalised security credentials with any other party than the consumer’s own payment service provider. This approach allows conveying straightforward security advice to consumers with respect to online payments involving third parties that can easily be understood and adhered to.
invites lawmakers to consider the comments of the European Central Bank on the proposed with regard to consumer protection and open access to payment account services
With its legal opinion on the proposed published in February 2014, the European Central Bank (ECB) states: “In order to combine security requirements and customer protection with the idea of open access to payment account services, the ECB suggests that customers are appropriately authenticated by relying on a strong customer authentication system. [third party payment service providers] could ensure this through either redirecting the payer in a secure manner to their account servicing payment service provider or issuing their own personalised security features. Both options should form part of a standardised European interface for payment account access. This interface should be based on an open European standard and allow any to access payment accounts at any [payment service provider] throughout the [European] Union.”
The European Central Bank adds: “The standard could be defined by [European Banking Authority] in close cooperation with the ECB and include technical and functional specifications, as well as related procedures. Furthermore, third party payment service providers should: (a) protect the personalised security features of payment service users they issue themselves; (b) authenticate themselves in an unequivocal manner vis-à-vis the account servicing payment service provider(s); (c) refrain from storing data obtained when accessing payment accounts, apart from information that identifies payments they initiate, such as reference number, payer’s and payee’s IBAN [International Bank Account Number] as well as the transaction amount; and (d) refrain from using data for any purposes other than those explicitly permitted by the payment service user.”
The invites the co-legislators, i.e. the Council of the and the European Parliament, to take these proposals by the European Central Bank into consideration during the ongoing review and further dialogue on the proposed .
Don’t throw the baby out with the bathwater. Lowering consumer protection standards risks resulting in the opposite of payment innovation
Lowering consumer protection standards in the area of payment initiation services is not the appropriate means to incentivise innovation and competition to the benefit of payers (consumers) and payees (merchants). Rather, it risks resulting in the opposite of the stated intentions. The has repeatedly stressed: Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two. Anyone with an interest in incentivising payers and payees to embrace innovative payment solutions – regardless of whether these are offered by ‘banks’ or ‘non-banks’, existing or new players – should adhere to the principle of ‘safety first’. The impact of any security breach on consumers’ trust in forward-looking payment technologies will hardly be conducive to realising the Commission’s “Digital Agenda” and vision of Europe being “at the cutting edge of what ‘making a payment’ could mean in the future.”
- EPC Blog (March 2014): PSD2: EPC Identifies Considerable Scope for Amendments of the Proposed New Set of Rules Related to the Activity of Third Party Payment Service Providers Offering Payment Initiation or Payment Account Information Services
- EPC Blog (August 2013): On the Difference between Innovation and the Wild West: How to Ensure the Security of Bank Customers´ Funds and Data with Payment Account Access Services
- EPC Blog (April 2014): PSD2: The New Article 67, (‘Refunds for Payment Transactions Initiated By or Through a Payee’), Proposed by the European Commission Risks Undermining Consumer’s Unconditional Refund Right for Direct Debits Included with the SEPA Direct Debit Core Scheme
- EPC Newsletter: Articles Published in the Section ‘Legal and Regulatory Issues’
- European Commission (24 July 2013): Proposal for a Revised Payment Services Directive (PSD2) (the formal title of this proposed legislative act is “Proposal for a Directive of the European Parliament and of the Council [of the EU] on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC”)
- European Commission (24 July 2014): Payment Services Directive and Interchange Fees Regulation: Frequently Asked Questions
- European Union Agency for Network and Information Security (ENISA): ‘Flash Note: EU Cyber Security Agency ENISA; “High Roller” Online Bank Robberies Reveal Security Gaps’
- European Central Bank (5 February 2014): Opinion on a Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market and Amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and Repealing Directive 2007/64/EC
- European Central Bank: Final Recommendations for the Security of Payment Account Access Services Following the Public Consultation (developed by the European Forum on the Security of Retail Payments)
- European Parliament Economic and Monetary Affairs Committee (ECON) Website
- European Parliament Economic and Monetary Affairs Committee (ECON) (11 March 2014): Report on the Proposal for a Directive of the European Parliament and of the Council on Payment Services in the Internal Market and Amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC
- European Parliament Website: Legislative Powers
- Council of the European Union Website
- European Commission Website: Application of EU Law/Directives
- European Commission Communication: A Digital Agenda for Europe
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.