British Retail Consortium

The British Retail Consortium is the lead trade association within the UK for the entire retail industry — an exciting, diverse and dynamic industry undergoing transformational change. Our industry spans large multiples, independents, high streets and out of town, from online to bricks and mortar, selling goods across all industries from clothing, footwear, food, homeware and electronics, health & beauty, jewellery and everything in between, to increasingly discerning consumers. UK retail sales in 2015 amounted to £339 billion, generated by 60 million customers making 120 million transactions per week. UK retail is therefore one of the largest acceptors of payment products, of which an increasing proportion are electronic payment cards.

Historically the BRC worked as part of the team that introduced and developed the technical and operational standards for handling Chip & PIN transactions but over recent years as more card payment transactions occur through a multiplicity of sales channels; the need for individual customers to know and have confidence in how payments are handled securely, whichever sales channels they choose to use, is critical for all customers and retailers. However, the need to implement changes now is one that applies exclusively in the online environment – where the incidence of fraud is high and the RTS have a clear role to play, as opposed to proximity payments – where the incidence of fraud is low and new RTS will cause unnecessary expense and disruption if not designed around the existing well-functioning and commonly used payment methods. In short, the need for new RTS under PSD2 should be proportionate to the risk of fraud.

The BRC welcomes the view of the EBA that the RTS should be developed at a higher rather than a granular level, however the BRC does not agree that the RTS should be applied to proximity payments. Proximity payments, such as contactless and EMV Chip & PIN payments, are relatively secure forms of payment and were not the focus of PSD2 provisions with regards to strong customer authentication. If the EBA were to adopt this view, then the exemptions for contactless transactions would become unnecessary.
Nevertheless, the BRC assumes that EMV Chip & PIN transactions utilise, for the purposes of the RTS, strong customer authentication on the basis that such payments require the possession of a bank card and the knowledge of a code linked to that payment method (the PIN). The BRC also assumes that payments made using a device upon which a card is enabled (for example a mobile phone via ApplePay, AndroidPay or SamsungPay) meet the strong customer authentication criteria on the basis that such payments require the possession of the bank card enabled device and the knowledge of a code linked to that payment method (to unlock the device or access the payment application). As these payment methods are already in common usage and the incidence of fraud through such payment methods is low it would not be in the interest of any stakeholder for new RTS to disrupt this proven payment method. Indeed, if the RTS were to apply to such proximity payment methods then the EBA ought to design the RTS around these existing and well-functioning payment methods rather than to cause significant cost and disruption to the retail and payments industries.

The BRC believe that new RTS should be applied exclusively to payments made online and, given the much higher incidences of fraud through remote payment channels, that this is indeed the intended focus of PSD2 provisions with regards to strong customer authentication. Within this context, the BRC welcomes the EBA proposals for a one-time only authentication code. This could be a positive development that strips the value from transaction data, which is often targeted by fraudsters, and in turn could help to make retailers and other businesses a less appealing target for fraud and cyber-attacks. The BRC notes that steps to deliver such an outcome have already started to be implemented by card payment schemes through tokenisation initiatives.

The BRC notes that proposed procedures for dynamic linking could encumber current tokenisation initiatives whilst the outcomes that the EBA hopes to secure through dynamic linking might in fact be secured through current initiatives for a Payment Account Reference (PAR).

The EBA should be cognisant of incidences where new RTS will impose additional and unnecessary burdens on the end-users that that the RTS are being designed to protect. To this effect, the EBA should clearly define how the RTS will sit alongside the international card scheme rules for customer authentication, for example whether the card schemes will be mandated to change their rules, if so by when, and to prevent the responsibility for implementing new RTS being passed solely on to retailers. For example, the BRC are strongly opposed to any requirement for dynamic linking if the burden for delivering this additional layer of payment information is placed on, or passed down to, retailers themselves. Retailers, like consumers, are end-users of the payments system and have invested heavily in payment infrastructure across their estates. The adaptation of this payment infrastructure is time-consuming and requires significant unbudgeted spending, culminating in large costs to retailers. The roll-out of Chip & PIN, for example, has already cost more than £1bn in the UK. It is also important that any initiatives advanced by the EBA are compatible with the PCI-DSS requirements that are already under development to ensure a coherent solution.

In all cases where strong customer authentication takes place the BRC strongly contend that the merchant must be guaranteed payment. The BRC therefore looks to the EBA to ensure that this principle is applied and enforced across all transactions that utilise strong customer authentication whether they take place online – where the BRC believe the RTS apply, or whether they take place as proximity payments – where the BRC believe the RTS do not apply. The BRC does believe that the EBA has a role in ensuring that all card payments schemes and processing companies provide a fair service to their customers.

For all payments where new RTS apply, it is critical that the RTS should enhance the payment standards that already exist within the UK today. Any changes proposed must ensure that retailers, and their customers, can complete sales transactions in a simple, quick and efficient manner that is appropriate to the value of transaction. The customer journey must not be compromised and the following principles should be maintained:

• Simple and easy for our customers to authenticate themselves
• Cost effective and simple for retailers to implement
• Achieves the required level of security to guarantee payment by the card issuer and/or payment provider for the transaction
• Retailers should be able to choose how to implement strong customer authentication that is appropriate to their individual business model – implementation should not be mandated

Consideration must also be given to the legal structure within any country (in our case the UK) which already protects consumers.

Unfortunately, as it stands, the draft RTS impose a one-size-fits-all approach to managing risk and leave no role for merchants in assessing risk. The EBA proposal that only a card-issuing bank can make a risk decision is a mistake. The RTS should allow merchants to perform risk assessments if they can demonstrate they are doing so effectively. A competent merchant can be as well positioned to control risk as a card issuer, because they have access to large amounts of equally predictive customer data relevant to their individual business. Preventing merchants from using their capabilities would mean removing flexible and simple payment capabilities that European consumers currently enjoy. Furthermore, fraudsters increasingly attempt to trick consumers into authenticating payments, yet it is far more difficult for a fraudster to fool a behavioural model with authentication used appropriately based on multiple factors – so in this sense the tools available to merchants can in some circumstances offer greater security than strong customer authentication.

Many retailers, merchants, banks and businesses already use a form of “risk based authentication” which include checks that respect a customer’s data privacy, such as:

• Is this shopper’s regular device?
• Is the IP address recognised?
• Are they using the same browser?
• What’s their location?
• Does this consumer often buy online?
• Do they typically make this type of purchase?
• Does the consumer usually transact in this currency?

In many cases this information is sufficient to authenticate a transaction however in some cases further evidence is needed and so strong customer authentication is called for. For many retailers this system provides the ideal balance between security and user convenience, ensuring the best consumer experience, whilst the customer always protected. On the other hand, the inflexible requirement of strong customer authentication in all circumstances could have the unintended consequence of stalling the €432bn business to consumer online shopping market across the EU and reducing the number of market players.

It is essential then that, where retailers and other businesses choose to do so, they are able to employ risk based authentication or employ their own retailer checks as an alternative to strong customer authentication.
The BRC notes that proposed procedures for dynamic linking could encumber current tokenisation initiatives whilst the outcomes that the EBA hopes to secure through dynamic linking might in fact be secured through current initiatives for a Payment Account Reference (PAR).

The EBA should be cognisant of incidences where new RTS will impose additional and unnecessary burdens on the end-users that that the RTS are being designed to protect. To this effect, the EBA should clearly define how the RTS will sit alongside the international card scheme rules for customer authentication, for example whether the card schemes will be mandated to change their rules, if so by when, and to prevent the responsibility and cost for implementing new RTS being passed solely on to retailers through higher fees. Currently the BRC are strongly opposed to any requirement for dynamic linking if the burden for delivering this additional layer of payment information is placed on, or passed down to, retailers themselves. Retailers, like consumers, are end-users of the payments system and have invested heavily in payment infrastructure across their estates.

Any adaptation of the current mature payment infrastructure is time-consuming and frequently requires significant unbudgeted spending especially if implementation lead times are less than 6 months, culminating in large costs to retailers. All changes need to be planned and planned with the appropriate lead times given to all parties affected by the new RTS – a minimum of 6 months is required.

It is critical that any initiatives advanced by the EBA are compatible with the existing EMV and planned PCI-DSS requirements that are already under development to ensure a coherent cost effective solution is implemented.
Unfortunately, as it stands, the draft RTS impose a one-size-fits-all approach to managing risk and leave no role for merchants in assessing risk. The EBA proposal that only a card-issuing bank can make a risk decision is a mistake. The RTS should allow merchants to perform risk assessments if they can demonstrate they are doing so effectively. A competent merchant can be as well positioned to control risk as a card issuer, because they have access to large amounts of equally predictive customer data. Preventing merchants from using their capabilities would mean removing flexible and simple payment capabilities that European consumers currently enjoy. Furthermore, fraudsters increasingly attempt to trick consumers into authenticating payments, yet it is far more difficult for a fraudster to fool a behavioural model with authentication used appropriately based on multiple factors – so in this sense the tools available to merchants can in some circumstances offer greater security than strong customer authentication.

Many merchants, banks and businesses already use a form of “risk based authentication” which include checks that respect a customer’s data privacy, such as:

• Is this shopper’s regular device?
• Is the IP address recognised?
• Are they using the same browser?
• What’s their location?
• Does this consumer often buy online?
• Do they typically make this type of purchase?
• Does the consumer usually transact in this currency?

In many cases this information is sufficient to authenticate a transaction however in some cases further evidence is needed and so strong customer authentication is called for. For many retailers this system provides the ideal balance between security and user convenience, ensuring the best consumer experience, whilst the customer always protected. On the other hand, the inflexible requirement of strong customer authentication in all circumstances could have the unintended consequence of stalling the €432bn business to consumer online shopping market across the EU and reducing the number of market players.

It is essential then that, where retailers and other businesses choose to do so, they are able to employ risk based authentication and employ their own merchant checks as an alternative to strong customer authentication.
The BRC does not agree that the RTS should be applied to proximity payments. Proximity payments, such as contactless and EMV Chip & PIN payments, are relatively secure forms of payment and not the focus of PSD2 provisions with regards to strong customer authentication. If the EBA were to adopt this view, then the exemptions for contactless transactions would become unnecessary.

Nevertheless, the BRC assumes that EMV Chip & PIN transactions utilise, for the purposes of the RTS, strong customer authentication on the basis that such payments require the possession of a bank card and the knowledge of a code linked to that payment method (the PIN). The BRC further also assumes that payments made using a device upon which a card is enabled (for example a mobile phone via ApplePay, AndroidPay or SamsungPay) meet the strong customer authentication criteria on the basis that such payments require the possession of the bank card enabled device and the knowledge of a code linked to that payment method (to unlock the device or access the payment application). As these payment methods are already in common usage and the incidence of fraud through such payment methods is low it would not be in the interest of any stakeholder for new RTS to disrupt this proven payment method. Indeed, if the RTS were to apply to such proximity payment methods then the EBA ought to design the RTS around these existing and well-functioning payment methods rather than to cause significant cost and disruption to the retail and payments industries.

The BRC believe that new RTS should be applied exclusively to payments made online and, given the much higher incidences of fraud through remote payment channels, that this is indeed the intended focus of PSD2 provisions with regards to strong customer authentication. Within this context, the BRC welcomes the EBA proposals for a one-time only authentication code. This could be a positive development that strips the value from transaction data, which is often targeted by fraudsters, and in turn could help to make retailers and other businesses a less appealing target for fraud and cyber-attacks. The BRC notes that steps to deliver such an outcome have already started to be implemented by card payment schemes through tokenisation initiatives.

Specifically, Article 8 of the draft RTS establish hard limits for transactions with low-value thresholds, above which strong customer authentication has to be conducted for every transaction. This method indicates that the EBA have fallen into the trap of interpreting low value and low risk as the same thing, whilst Chapter 2 Article 8 d) requires a consumer to enter additional details for every transaction over a very small-value threshold, even for repeat customers making repeat purchases. This is inconvenient for consumers, damaging for e-commerce and unnecessary for retailers that already employ alternative authentication methods. Also, the values cited for contactless payments in Chapter 2 Article 8 1 b) (50 EUR and accumulated sales of 150 EUR) sit above current contactless spending limits in the UK however these low values provide little flexibility for the future. Key for retailers will be that all transactions below the proposed value limits for strong customer authentication to be applied are treated without exception as guaranteed payments.

The BRC believes the timing cited in Chapter 2 Article 1a) should be extended from 1 month to at least 6 weeks so as not to inconvenience consumers that may make repeat business transactions on a roughly monthly basis.
The concern of the BRC is not that PSPs are prevented from implementing SCA on transactions but rather that SCA is mandated on all transactions without regard for proportionality of the risk of fraud and to the exclusion of well-operating alternative forms of authentication such as risk based authentication or employment of merchant checks, as set out above.

For an individual retailer the impact of the proposal as written to require strong authentication on transactions above a specific transaction value in combination with an accumulated transaction value is unworkable within their systems. In effect it will mean that for an individual retailer all transactions above the individual transaction limit will require strong authentication as it currently has no visibility or access to accumulated transaction data.
The BRC broadly agree with the provisions proposed in Chapter 3 however it is important that the RTS advanced by the EBA are compatible with the PCI-DSS requirements that are already under development, to ensure a coherent solution.
The BRC broadly agree with the provisions proposed in Chapter 4 however it is important that the RTS advanced by the EBA are compatible with the PCI-DSS requirements that are already under development, to ensure a coherent solution.

Within Article 17 it would be very useful to have a clear definition of ‘Payment Servicer Providers’ given that within this space the number, type and choice of providers is expanding daily. For example, given that telephone manufacturers and their software suppliers are leading some of the market developments it is important to ensure that they are included within the scope of the proposed RTS.

The BRC would like further clarity regarding traceability under Article 18 with regards to from what period it is anticipated that logs will be retained from.

The BRC would strongly suggest that the period of 3 months cited under Article 19, 5 be extended to at least 6 months ahead of the implementation of the change to accommodate the needs of merchants.
The BRC is agnostic as to the common standards and technical developments that will be used in a future payments systems insofar as they are transparent, accessible and enhance to the payments system whilst mitigating against fraud. However, the impact of moving away from existing UK payment handling standards should not be underestimated as the time required to implement those by existing payment acceptors will be circa 3 years and at a significant cost for UK retail alone, many billions of pounds, given the level of technology and systems implemented within UK retailers.
Within Article 20 the implementation of 3a appears to be onerous and may limit competition within the individual markets and across the EU if the application for, as well as the issuing of, certificates becomes a burdensome process. The BRC questions the level of additional information requested and whether it will achieve any extra value to providing and/or achieving strong customer authentication.
Non-Applicable.
[Retailer"]"
[Other"]"
We are a trade association representing British retailers
Andrew Cregan