On 24 July 2013 the European Commission (the Commission) published its proposal for a revised Payment Services Directive (). This draft legislative act remains subject to review and adoption, respectively, by the European Union (EU) co-legislators. These are the European Parliament and the Council of the EU. (The Council of the EU is the EU institution where the EU Member States’ government representatives sit, i.e. the ministers of each EU Member State with responsibility for a given policy area.)
The Commission stated in its related ‘Frequently Asked Questions’ that its proposal for aims, among other things, to “take account of new types of payment services (such as payment initiation services offered in the context of e-commerce)” and to ensure “a high level of consumer protection and of payments security”. It is the task of the European Parliament and the Council of the EU to determine whether the new rules related to payment initiation or payment account information services proposed by the Commission indeed ensure a high level of consumer protection and payments security.
In the view of the European Payments Council (), this is not the case. Rather, at a time when everyone is discussing how to increase security and data protection in the digital world, the Commission effectively asks the EU co-legislators to tear down the ‘firewalls’ protecting consumers when making internet payments. Specifically, the Commission proposes abandoning the principle established with Article 56 of the PSD currently in effect that under no circumstances should a consumer share his or her personalised security credentials with third parties. Personalised security features include, for example, passwords and personal identification numbers (PINs) as well as mobile or indexed transaction authorisation numbers (TANs). Third parties are any party, including those offering payment initiation services, other than the account servicing payment service provider issuing such credentials to the account holder, i.e. the consumer.
The strongly recommends maintaining the principle that a consumer should never have to share his or her personal security credentials with third parties. This is a pre-condition to ensuring the continued security of consumer’s funds and data in the online banking environment.
This Blog (see ‘related links’ below) addresses considerations with regard to the sharing of personalised security credentials now discussed by the working party of the Council of the tasked to review the proposed . The working party introduced the concept of “re-usable and non-reusable” security credentials and considers that consumers may disclose “non re-usable” credentials to third parties.
The believes that it is not feasible to clearly define – and, for consumers, to distinguish between – “re-usable” and “non-reusable” credentials. Consequently, the emphasises that the principle to not disclose personalised security credentials should continue to apply with regard to any such credentials regardless of whether these are “re-usable” or not.
Instead of lowering consumer protection standards, the advocates taking into account the principles outlined in the legal opinion of the European Central Bank on the proposed with regard to consumer protection and open access to payment account services.
The stresses again: Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.