ECPA RESPONSE TO THE EUROPEAN BANKING AUTHORITY DISCUSSION PAPER
ON STRONG CUSTOMER AUTHENTICATION AND SECURE COMMUNICATION
• The European Card Payments Association is pleased to help the EBA shape their Regulatory Technical Standards on strong customer authentication and secure communication. The card payments industry has always had these principles at its heart and has led the way in developing new, consumer-friendly but highly secure methods to keep pace with payments innovation (e.g. chip & PIN; 3D secure). As the payments industry diversifies, it is helpful to have an overarching view of maintaining and improving the security of payment services across the EU.
• Rather than responding to the specific questions in the consultation we have provided high level comments on the different areas covered where they relate specifically to card payments.
• Individual members of ECPA have submitted more detailed responses to the consultation and this response should be read in conjunction with these, as there is a very high degree of unanimity across the membership of ECPA on all of the relevant questions.
General comments on the discussion paper
• In our view, the EBA should be aiming to develop standards based on high level principles rather than a prescriptive approach. This is for the following reasons:
o As the Discussion Paper helpfully recognises, there are a number of competing demands in developing these standards, not least high security requirements versus facilitation of future innovative solutions. These competing demands are best met within principle-based standards that provide the flexibility for different providers and different payment technologies to apply an approach that is appropriate to the risk in their particular situation.
o Arguably the core competing demands are between high security requirements and customer convenience. If customers find security requirements too onerous, the experience from the card payment industry is that they will find other ways to work round the requirements which opens the opportunity for fraud to occur.
o There are different levels of maturity and usage in payments markets around Europe. For example, the UK market is very advanced in electronic payments and there are already a number of strong customer authentication and secure communication developments in the market. The differing levels of maturity across markets are best met within principle-based standards.
o As card payments are global by nature, any standards applicable only to Europe may have limited impact, since card details can be used with non-European online merchants who had lesser obligations in terms of authentication. The Regulator should therefore insist, as far as cards are concerned, that authentication solutions would only depend on the Payment Service Provider (PSP) and not on the “acquisition domain”.
o In the interests of fighting against fraud, the Regulatory Technical Standards must distinguish between the security requirements applicable to face-to-face payments and those which are needed for remote (card not present) payments. The RTS must distinguish between the different payment instruments covered by the Payment Services Directive, and a minima, establish derogations from strong authentication for each one, according to identified levels of risk.
• In line with principle-based regulation, it would be helpful for the EBA to outline the outcomes that it expects to see as a result of the standards being implemented. For example, if the focus is to decrease fraudulent activity what the targeted reduction range is. Having an eye on clear outcomes will help drive the shape of the standards and ensure the right balance is struck between the competing demands above.
• It is inevitable that the standards will need to take into account where liabilities lie between different parties in the payment chain, especially as that chain becomes more complex. Liabilities currently lie mainly with the Account Servicing Payment Services Provider (ASPSP e.g. the customer’s bank) and as such the ASPSP should have sufficient means to perform its own risk analysis of data related to transactions that is provided to it (e.g. through a Payment Initiation Service). Moreover, ASPSPs should retain the ability to introduce new security mechanisms fairly rapidly that allow the industry to tackle emerging fraud trends.
Requirements on strong customer authentication
• Generally speaking hardware elements provide a good solution in the context of strong customer authentication, in terms of proof-of-possession and independence. However the direction of travel across financial services and other sectors is away from the use of multiple devices. Many customers increasingly expect to perform all aspects of authentication on a single device, such as a mobile phone or tablet. Accordingly, it would not be appropriate for the EBA RTS principles to require separate hardware tokens. Non-physical software/data tokens are more forward looking options.
• The RTS should define the characteristics such possession elements must meet, including that:
o It must be unique to a customer
o It must be some significantly secure item made available by the service provider, or agreed with the user during a suitably robust enrolment process
o It should also include data whose lifecycle is managed by an ASPSP
o Its limits should be sufficiently large to include, for example, the geolocation of the device
• Behaviour-based characteristics are key in financial services. They can be used both for the physical behaviour of the customer (e.g. location, type of device etc) as well as spending patterns. They can be used before and after a transaction takes place and form a key part of tiered authentication. By being able to assess whether the customer is at home, on their home computer, making the same payment amount to the same payee as last month ASPSPs are able to assess the risk and the level of authentication required. This allows a balance to be reached between security and the ease of the customer experience, which is key in supporting e-commerce. At present behaviour-based characteristics are part of a risk assessment not an authentication factor. However, it is not unreasonable to expect that there could be further developments in this space.
• Behaviour based characteristics need to be consistent over a period of time and resilient to changes in platform or application (e.g. my behaviour needs to be the same even though I am using a different mobile device). Behaviours that are truly inherent should be distinguished from preferences, which can change at any time.