The current Payment Services Directive (PSD) adopted in 2007 created a regulatory framework for payment services in the EU which aimed to create a well-functioning, integrated and competitive single market, as well as providing the legal basis for the Single Euro Payments Area (SEPA).
The current regulations are no longer considered adequate; they have been applied inconsistently and EU policymakers believe they have not stimulated sufficient innovation and competition. At the same time, concerns have grown about the effectiveness of security measures associated with digital payments.
The updated Directive on Payment Services (or PSD2) is one of a series of legislative measures adopted by the European Union in response to rapid technological innovation and the desire to increase competition and integrate payment services across national borders.
PSD2 seeks not only to reflect technological change but to promote digital innovation (for example, by facilitating the market entry of new types of payment service providers). It also looks to provide greater transparency over charges, improve consumer protection and the security of payments.
The challenge of regulatory harmonisation
It is approaching a year since the European Banking Authority (EBA) announced that it was “getting ready to develop requirements that will harmonise regulatory and supervisory practices to ensure secure, easy and efficient payment services across the EU.”
The aim of regulatory harmonisation was noble but in the interim, a state of legislative fragmentation has evolved. Within months of the EBA’s May 2015 announcement their key aim of a harmonized approach to the security of internet payments was under threat as numerous financial authorities cited legal straitjackets for not committing to the implementation of the guidelines.
With fragmentation comes frustration, as merchants and their customers are left in limbo while a legislative inertia grips the payments industry. As per usual it is the consumer who suffers the most. It is the consumer who will have to deal with differing authentication methods until a standardised approach is agreed upon. Merchants, of course, will have to implement systems that are applicable to all jurisdictions: creating more headaches in the quest to enable secure, easy, and efficient payments.
The EBA guidelines mirror recommendations derived from the European Forum on the Security of Retail Payments (known as SecuRe Pay). The aim of this forum – set up in November 2012 – was to facilitate an understanding of issues related to the security of electronic retail payment services.
4 key issues of approaching PSD2
1. Minimum internet payments security
In January 2013, after two months of consultation between its members – namely the ECB and relevant authorities from the European Economic Area – the SecuRe Pay forum released its headline recommendations.
These recommendations were to be considered as “minimum internet payments security requirements” and they were as follows:
- Protect the initiation of internet payments, as well as access to sensitive payment data, by strong customer authentication.
- Limit the number of log-in or authentication attempts, define rules for internet payment services session “time out” and set time limits for the validity of authentication.
- Establish transaction monitoring mechanisms designed to prevent, detect, and block fraudulent payment transactions.
- Implement multiple layers of security defences in order to mitigate identified risks.
- Provide assistance and guidance to customers about best online security practices, set up alerts and provide tools to help customers monitor transactions.
These SecuRe Pay recommendations morphed into the EBA’s guidelines on how to strengthen internet payment security. However, according to this EBA table (last updated in July 2015) the relevant UK, Estonian, and Slovakian authorities have all reported back to the EBA that they will not be implementing the guidelines.
The UK’s responsible authority, the Financial Conduit Authority (FCA), gave the following reasons for opting out of implementing the EBA’s guidelines on secure internet payments. The FCA has stated that it does not “have the power without legislative change to make binding rules requiring all payment service providers (credit institutions, payment institutions and e-money institutions) to comply with the EBA Guidelines.” However they were prepared – prior to the confirmation of final PSD2 measures to issue “guidance to payment service providers, in the light of our statutory objectives and obligations and our public law duties.”
The FCA added that the spectre of PSD2 will require providers to “make significant changes to their systems and controls and significant additional changes are likely to be necessary following implementation of PSD2. We indicated to the UK market in March 2014 that we would be requiring compliance with the SecuRe Pay Recommendations in line with PSD2 transposition, and we remain of the view that it is reasonable, in all the circumstances, for FCA to incorporate the detail of the Guidelines (or equivalent guidelines issued under PSD2) into our supervisory framework in line with this timetable. Our intention is that this will be done in a way that is equally binding on all types of payment service provider.”
The FCA’s statement brings uncertainty to the payments industry as the EBA needed everyone on board to copperfasten their aim of regulatory harmonization.
That’s not all. Cyprus and Sweden, meanwhile, currently only provide partial compliance with the EBA guidelines. For example, in the case of the Swedish Financial Supervisory Authority, the Finansinspektionen. The EBA table states that it, the Finansinspektionen, reported that it will comply with all Guidelines, except Guidelines 7.6 and 7.7 in respect of payment institutions.
Guidelines 7.6 and 7.7 of the SecuRe Pay recommendations are:
- All payment schemes should promote the implementation of strong customer authentication by introducing a liability regime for the participating PSPs in and across all European markets.
- For the card payment schemes accepted by the service, providers of wallet solutions should require strong authentication by the issuer when the legitimate holder first registers the card data.
The end result is that there is no uniform approach among European financial regulators to implement technical standards that are necessary to ensure that internet payments are secure, easy, and efficient.
2. Internet banking: made difficult
Pre-PSD2, stakeholders surveyed by London Economics and iff in association with PaySys bemoaned the fact that third-party providers were outside the scope of PSD. These stakeholders in large part were the traditional banking industry that wanted more regulatory control of third-party providers when it comes to consumer authentication, similar to the controls foisted upon themselves by their financial regulators. Step forward PSD2.
Within a decade, the original PSD, adopted in 2007, was in need of modernisation. PSD2 obliges internet payments businesses, such as PSPs, to implement two-factor authentication (2FA) and apply bank-level security, irrespective of whether the client has a balance on deposit with the payment service provider or not.
Under the PSD2 implementing guidance relating to security of internet payments that was issued by the EBA in May 2015, all payment institutions providing online payments are obliged to implement 2FA.
The rules on internet payment security make sense if living in a world where payment institutions can freely access bank accounts to make payments (access to accounts, or XS2A, is a key pillar of PSD2), but regulatory technical standards that would enable this access will now not be in place until 2019.
In the meantime, the rules make it more difficult for European consumers to use non-bank payment services online. The consumer needs to authorise a payment from their bank to the payment institution and then they need to authorise the payment from the payment institution to the payee (and 2FA applies to both steps).
When we assess the guidelines removed from the regulatory demands of individual EU Member States another sore point is revealed: strong customer authentication, specifically the one-time passwords (OTP) that apply in conjunction with 2FA.
3. The quest for strong customer authentication
Let’s recall one of the SecuRe Pay forum’s main recommendations: ‘Protect the initiation of internet payments, as well as access to sensitive payment data, by strong customer authentication’.
Now it’s a given that all internet payments industry stakeholders favour “strong customer authentication” it’s just that payments service providers (PSPs) are being requested to provide a service where they simply cannot guarantee security.
From this perspective of creating and implementing secure internet payments standards, we note an interesting observation from the influential FastIDentity Online (FIDO) Alliance. The FIDO Alliance counts payments industry heavyweights such as Alibaba, AmEx, Bank of America, Google, MasterCard, Paypal, and Visa among its members.
In December 2015, the EBA produced a discussion paper on future draft regulatory technical standards on strong customer authentication under PSD2. The EBA did so to the backdrop of fragmented acceptance of their guidelines as explained above. The discussion paper sought input from stakeholders and in their February 2016 response the FIDO Alliance revealed some interesting realities of consumer authentication.
In response to the discussion paper question: ‘what other risks with regard to the protection of users’ personalized security credentials do you identify?’ The FIDO Alliance submission states that “as the use of multi-factor authentication has spread, so have attacks on some of the most popular methods. Some types of one-time password (OTP) technologies, for example, have been shown to be vulnerable to malware, phishing attacks and man-in-the-middle attacks. Google (a FIDO Alliance member) discussed the extent of the problem last summer, noting that these days, a “phisher can pretty successfully phish for an OTP just about as easily as they can a password” (see video here).”
The FIDO Alliance’s response to the question perfectly illustrates the dilemma faced by the EBA when proposing technical standards aimed at improving the security of internet payments. Authentication measures change rapidly and the existing EBA guidelines will – more than likely – be defunct come 2018 when it is proposed that they become operational as the PSD2 measures are implemented across Europe. The standard-bearers of online authentication today (Google) have pointed out – via the FIDO Alliance submission – existing issues with 2FA and OTP, and the real and present phishing threat.
Google is already looking beyond OTP and to increased use of OAuth 2.0, OpenID, U2F (Universal Second Factor: a joint project between the FIDO Alliance and PayPal) and IETF ChannelID (which helps lock down cookies to the device they were issued for).
Herein lies one of the problems for legislators, that of attempting to keep pace with a rapidly-evolving industry. Let’s remember that the original PSD was adopted in 2007 and within a decade is already in need of modernisation. Mobile commerce anyone? How long before we see PSD3?
To illustrate how quickly authentication measures change, read Eric Sachs’ publicly-accessible paper on strong consumer authentication. Sachs leads the identity team at Google and this five-year plan – with assorted 2014 updates – documents how authentication measures changed between 2008 and 2013. Crucially, it also looks ahead to the next five years. Sachs’ document predicts the use of OpenID with “identity providers”, where service providers communicate with the identity provider for authentication purposes. Sachs admits that migration to OpenID will be difficult. He also extols the use of OAuth within native apps where “applications that run outside a browser needed to stop asking users directly for passwords, and instead send the user through a one-time browser flow where identity providers and stronger authentication schemes could be used.” It all amounts to a fascinating look at the past, present, and future of strong consumer authentication.
4. Unintended distortion of the single market for payments
The piecemeal implementation of the EBA’s PSD2 guidelines is damaging for merchants as they scramble to implement the ‘best practice’ that suits their business needs. Their end customer, meanwhile, is met with a slew of confusing payment authentication measures.
The fragmentation of the proposed guidelines is making it harder for customers to use non-bank payment solutions. Moreover, the guidelines (remember they are not universally legally binding) are having the unintended effect of distorting the single market for payments. Regulators in some jurisdictions (such as the Central Bank of Ireland) are implementing the guidelines with immediate effect, while others (namely the UK’s FCA) have opted, for reasons mentioned earlier, to postpone implementation pending clarity on the full suite of the PSD2 measures.
In this regulatory stand-off, and in light of potential issues with certain login measures, it is merchants and their customers that will be left exposed to payment fraud and the unwelcome consequences that follow. This uncertainty will ensure that internet payments in Europe are neither secure, easy, nor efficient – not for a while yet…
Fexco Corporate Payments has been providing global payment solutions for over 25 years. As a regulated financial institution, Fexco uses robust client asset procedures to keep client funds protected. Fexco Corporate Payments now uses two-factor authentication in order to combat online fraud and to guarantee our clients the highest level of online security. If you need a payment solution for your business, register online today or contact us (Ireland: 1800 246 801 UK: 0800 840 2887) to discuss your payment needs.