Security of online payments
Essential to eCommerce growth
Gijs Boudewijn
Deputy Director
2014 European Consumer
Summit, Brussels
April 1st, 2014
2014 European Consumer Summit, Brussels. April 1st, 2014
| 2
ePayments are important for eCommerce ...
“This position paper states 10 recommendations for a stronger payment landscape in
Europe:*)
•
Recommendation 1: Move forward with ‘access to the account’ for third party payment
providers duly licensed within the scope of a revised PSD
•
Recommendation 2: Communicate adequately to educate both consumers and
merchants about the possibilities and conditions for this new class of payment initiation
instrument
•
Recommendation 3: We ask European authorities to provide a structure for contractual
and technical arrangements to assure legal clarity and technical scalability of third party
services
•
Recommendation 4: Merchants welcome solutions that re-use existing authentication
methods to improve security, protect users’ privacy and streamline user experience
(…)”
*) From: ‘10 Recommendations for a Stronger e-Payments Landscape in Europe’, http://www.ecommerce-europe.eu
2014 European Consumer Summit, Brussels. April 1st, 2014
| 3
ePayments are also about trust ...
• 100% security does not exist
• Dutch example: five simple and standardized safety rules, drawn up jointly by
the payment service providers and the consumer’s representatives:
What do you need to do?
❶
❷
❸
❹
❺
Keep your security codes secret.
Make sure your bank card is never used by anyone else.
Make sure that the devices you use for electronic banking are properly secured.
Monitor your bank account activity.
Report any incidents to the bank immediately and follow any instructions given to you by the
bank.
• When observed to a reasonable extent, consumers can be assured they will be
reimbursed in case of fraud
2014 European Consumer Summit, Brussels. April 1st, 2014
| 4
PSD2 – balancing competition, innovation,
security and consumer protection?

Extends the scope to include Payment Initiation Services and Account
Information Services

Provides for licensing Third Party Payment service providers (TPP) providing
these services, for which they need access to consumers’ payment accounts

Harmonises and improves operational and security requirements – SecuRepay
recommendations

Explicitly allows re-use of comsumer's personal securiy credentials by the TPP
('impersonation')

Concerns on security, data protection and liabilities between TPPs, Account
Servicing (AS) PSPs and account holders (consumers)
2014 European Consumer Summit, Brussels. April 1st, 2014
| 5
TPP access to the account – basic model
Like a ‘man in the middle’ it seems as if consumer is accessing the account, but
it is in fact the TPP, unknown to the Account Servicing PSP ('impersonation')
Current technical methods
TPP
•
Via a website
•
Via a browser plug-in
•
Via an app
KPMG Advisory N.V., 2012
2014 European Consumer Summit, Brussels. April 1st, 2014
| 6
Re-using personal credentials by third
parties creates risks
A third party with criminal intent could:

Modify the amount and the recipient of the payment
(which is the typical fraud case today)

Gain access to other financial products of the consumer which can be
accessed via internet banking (such as savings accounts, bank statements,
loans, securities portfolios, mortgages and insurances)

Take over the consumer’s account (e.g. changing the consumer’s contact
details and thus the recipient of new credentials, cards, statements ….)
But how can the average consumer know if a TPP is duly licensed or a party
with criminal intent??
2014 European Consumer Summit, Brussels. April 1st, 2014
| 7
A feasible secure solution according to the
European Central Bank
In its recent “Public note on security of payment account access
services” the ECB recommends to:

Set up European open standards for secure interfacing of TPPs with AS
PSPs for authenticating the TPP by the AS PSP

Set up Standards and communication protocols for secure information
exchanges with the AS PSP

Require strong customer authentication to identify the consumer). This is
based on two or more of the following elements: knowledge ( e.g. a code),
possession (e.g. a token) and being (e.g. fingerprint).
2014 European Consumer Summit, Brussels. April 1st, 2014
| 8
A feasible secure solution according to the
European Central Bank

Strong customer authentication can be realised either by
TPP redirects the payer in a secure manner to its AS PSP (such as
-
iDEAL), or
TPP issues own personalised security features
-
• TPPs should also:
-
Protect the personalised credentials they issue themselves
-
Authenticate themselves in an unequivocal manner to the AS PSP
-
Refrain from storing data obtained apart from information necessary to
identify the payment, and
-
Refrain from using data for any purposes other than explicitly permitted
2014 European Consumer Summit, Brussels. April 1st, 2014
| 9
So, where are we now?

The Commission’s PSD2 proposal of July 2013 does not sufficiently
accomodate the security concerns …….

The ECB public note came very late in the legislative process ……..

The European Parliament made the issue perhaps worse through a
multitude of amendmends (Plenary vote on ECON report in two weeks ...)

However: the Council work may still rectify some of the issues, and there's
always the trilogue ……
The question is not if third party access will be possible, but how we can make
it work in a secure way to the benefit of EU businesses and consumers; it’s all
about striking the right balance between security, innovation, competition and
consumer protection ……
2014 European Consumer Summit, Brussels. April 1st, 2014
| 10
Questions?
g.boudewijn@betaalvereniging.nl
T.
+ 31 20 305 19 21
M. + 31 6 5144 0529
Gustav Mahlerplein 33-35
1082 MS Amsterdam
The Netherlands
www.betaalvereniging.nl
2014 European Consumer Summit, Brussels. April 1st, 2014
| 11