Home EU Implementing Minimum Authentication Standards for PSPs

EU Implementing Minimum Authentication Standards for PSPs

The European Central Bank has drafted a set of recommendations to increase the security of online transactions in the European Union. The expectation is to implement these recommendations as minimum standards for online payment security which internet payment service providers in the EU must meet by mid-2014.

The European Central Bank’s primary goal with this initiative is to establish a harmonized minimum level of security that stretches across the entire EU. The recommendations focus on “the whole processing chain of electronic retail payment services (excluding cheques and cash), irrespective of the payment channel,” as stated in the Recommendations for the Security of Internet Payments document published by the ECB. The recommendations and standards apply to all payment service providers offering internet payment services, this includes internet card payments (including virtual cards and card data registered in e-wallets), online credit transfers and ACH/direct debit internet payments.

The EU’s Central Bank makes 14 recommendations, categorized as either key considerations or best practices, and these recommendations are to be implemented by July 1, 2014. These recommendations are based on four guiding principles: First, PSPs should perform assessments of the risks associated with providing payment services over the internet and this should be regularly updated as the internet and security threats continue to evolve.

The second principle is centered on strong customer authentication. The recommendations define three elements related to authentication: knowledge, ownership and inherence. Knowledge refers to something only the user knows (such as a password), ownership refers to something only the user possesses (such as their mobile phone) and inherence refers to something the user is (such as a biometric reading). It is recommended that at least two of these elements are used for strong authentication, although PSPs will be able to use less stringent authentication techniques for outgoing payments to trusted parties or white listed accounts.

The third principle is that PSPs should have effective processes for authorizing transactions and for monitoring transactions to identify abnormal patterns and fraud. The fourth principle is that PSPs should engage in customer education and awareness programs.

For more information:

European Central Bank: Recommendations for the Security of Internet Payments

2 Responses

  1. […] Read More Share this:EmailFacebook This entry was posted in Fraud Prevention and tagged authentication, PSP, regulations by fraudpractice. Bookmark the permalink. […]

  2. Yianni

    By way of update on the ECB’s strong customer authentication mandate;

    The ECB Final publication 31/1/13 is here > http://www.ecb.europa.eu/press/pr/date/2013/html/pr130131_1.en.html

    Guidelines and Public Consultation Outcomes on the right hand side.

    The Draft Payment Services Directive 2 (PSD2) is here> : http://ec.europa.eu/internal_market/payments/docs/framework/130724_proposal-revised-psd2_en.pdf

    See Proposed PSD2 Art.65 & Art.66 re liability shift.
    Payment gateways and Acquirers will liable for fraud on their networks if they don’t implement strong customer authentication.

    Proposed PSD2 Art. 85 to 87 calls for the mandatory implementation of the ECB’s Guidelines across all remote payments, including eWallets, eMandates and credit card not present payments. The ECB definition of a PSP now includes Payment Gateways and Payment Integrators, for the purpose of determining liability (see ECB ‘Scope’).

    Strong Customer Authentication will be applicable to all transactions acquired in the SEPA, across all 28 ECB recognised card schemes, from 01/02/2015.

    Older implementations of 3D Secure, that utilise a static password, do not comply with the ECB requirement that “At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the Internet”

    This will require upgrades to 3D Secure systems, on a card scheme by card scheme basis.

    Some competition has emerged >

    iSignthis claims to authenticate transactions across all 28 ECB recognised card schemes, with only acquiring side involvement necessary.

    See > http://www.isignthis.com and also http://www.merchantprotect.com.au

    In the meantime, India has also mandated authentication > http://rbi.org.in/scripts/NotificationUser.aspx?Id=7874&Mode=0

    ……and of course China Union Pay, which doesn’t use 3D Secure, is getting a larger share of the global merchant market.

You must be logged in to post a comment.

© The Fraud Practice LLC 2012