SecuRe Pay Forum. Recommendations for the security of internet payments. Comments of German Banking Industry Committee (GBIC) General Comments

Similar documents
the security of retail payments

TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES"

Rapport ECB Recommendation on Security for Internet Payments Swedbank Response Specification/version: v

TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES"

TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES"

EPCA PAYMENT SUMMIT Arno Voerman (Van Doorne N.V.) Edwin Jacobs (Time.Lex)

Contact Details: Mr Lars Rutberg

EU LEGISLATION (PAYMENT SERVICES SEPA) (AMENDMENT) (JERSEY) REGULATIONS 2017

Opinion of the European Banking Authority on the transition from PSD1 to PSD2

Consultation Paper. on Draft Guidelines on fraud reporting requirements under Article 96(6) of Directive (EU) 2015/2366 (PSD2) EBA/CP/2017/13

Visa response EBA public consultation on the draft RTS on Strong Customer Authentication

CONSULTATION ON THE DRAFT RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES - COMMENTS FROM THE DANISH BANKERS ASSOCIATION

EBA GL on fraud reporting requirements under Article 96(6) PSD2 Helene Oger-Zaher Consumer Protection, Financial Innovation and Payments, EBA

Money Laundering and Terrorist Financing Risks in the E-Money Sector

The EBA and its mandate on strong customer authentication & secure communication under Article 98 PSD2

OPINION OF THE EUROPEAN CENTRAL BANK

EBA/GL/2017/08 07/07/2017. Final Report

Revision of the Payment Services Directive (PSD2) Krzysztof Zurek and Silvia Kersemakers DG FISMA, European Commission PSMEG meeting 3 December 2015

Strong Customer Authentication and PSD2

Tax Identity Shield What to Expect. Tax Identity Shield Terms & Conditions

Introduction What is electronic money? 3.1. Under the Electronic Money Regulations 2011 (Reg. 2(1)), electronic money is defined as:

Visa Merchant Best Practice Guide for Cardholder Not Present Transactions

Post Consultation Report on the implementation of the revised CBM Directive No 1 on the Provision and Use of Payment Services*

The European Union (Payment Services) Regulations 2018 (the Regulations)

Guidance for implementation of the revised Payment Services Directive. PSD2 guidance

EUROPEAN COMMISSION Directorate General Internal Market and Services

3D Secure Frequently Asked Questions

The epayments Code February & March 2013

Customer Relations Policy

We are updating our banking and investment terms and conditions to reflect changes to how we operate your account.

New Regulations in Payments Services

VISA RELOADABLE PREPAID CARD TERMS AND CONDITIONS

Important changes to your current St.George Bank/Bank of Melbourne/BankSA Consumer Credit Card Conditions of Use Terms and Conditions

The Terms and Conditions of the Internet Bank Agreement. for Private Persons

Customer Protection Policy (Unauthorized Electronic Banking Transactions)

Visa Reloadable Prepaid Card Terms And Conditions

Tax Identity Care Terms and Conditions

POSITION ON THE EC PROPOSAL ON THE COMPANY LAW PACKAGE. 26 October 2018

Commercial Terms and Conditions of Tatra banka, a. s. for electronic banking services Business Banking TB

Regulations on Electronic Fund Transfer 2014

Version September Creating smart SEPA Solutions. A convenient and secure way to make payments. SEPA Direct Debit for Consumers

Templeton Municipal Light and Water Plant

Bird & Bird on the most important consequences of PSD2

General Information for Cardholder s on PIN & PAY

Tim Hopkins, Senior Business Leader Dispute Resolution Management. The Ever Changing Fraud Chargeback

CENTRAL BANK OF MALTA DIRECTIVE NO 1. in terms of the. CENTRAL BANK OF MALTA ACT (Cap. 204 of the Laws of Malta)

GUIDELINES ON AUTHORISATION AND REGISTRATION UNDER PSD2 EBA/GL/2017/09 08/11/2017. Guidelines

PSD2 Stakeholder Liaison Group. 10 February 2017

What You Should Know CPEL Payment Services Directive 2

XXImo Program Card Conditions

NATIONAL PAYMENT AND SETTLEMENT SYSTEMS DIVISION

IDT FINANCIAL SERVICES PREPAID CARD CONDITIONS XXIMO MOBILITY CARD PROGRAMME THE NETHERLANDS

AS SEB Pank. Terms and conditions of the Internet Bank for private clients. Content. Valid as of

Visa Reloadable Prepaid Card Terms and Conditions

These are your General Purpose Card Terms and Conditions

Fitchburg State College Identity Theft Prevention Program updated 11/17/09

Contents. For Corporates Payment Services Directive II (PSD2)

GUIDELINES ON CONSUMER PROTECTION ON ELECTRONIC FUND TRANSFERS PART I PRELIMINARY

Visa General Purpose & Student Reloadable Prepaid Card Terms and Conditions

Notice of changes to your Financial Table and Credit Card Terms and Conditions and Other Important Information effective 1 June 2018

Your Guide to Compliance: FFIEC Supplement to Authentication in an Internet Banking Environment

TRAVELTOKENS SALE PRIVACY POLICY Last updated:

CUSTOMER PROTECTION POLICY FOR LIMITING LIABILITY OF CUSTOMERS IN UNAUTHORISED ELECTRONIC BANKING

Commentary on the. epayments Code

Weizmann Impex Service Enterprise Ltd.

The I-REC Code. version 1.4

International Prepaid Card. These are your International Prepaid Card Terms and Conditions.

first direct Credit Card Terms

PSD2 IMPLEMENTATION: WHAT YOU NEED TO KNOW

Danske Bank PDS Personal v1.0. BankID TSP documents

SpareBank1 PDS Mobile v1.0. BankID TSP documents

First Savings Bank of Hegewisch

Before debiting the Cardholder, the Merchant shall conduct the checks specified below.

Conditions of Use. & Credit Guide EFFECTIVE JUNE 18

Managing Chargebacks. April 2016

Note: Please read this document carefully and keep it in a safe place for future reference.

Travelex Online Ordering Terms and Conditions

4th Anti-Money Laundering Directive and 2d Fund Transfers Regulation- General overview and impact on payments

Customer Relations Policy

Guidelines for Electronic Retail Payment Services (ERPS 2)

Vanilla Mastercard Terms and Conditions

Visa Debit Conditions of Use

The main regulatory changes introduced PSD2 in a nutshell

Minnesota State Colleges and Universities Identity Theft Prevention Program

IV:07:11 IDENTITY THEFT PREVENTION POLICY SECTION 1: BACKGROUND

emoneysafe debit Mastercard Terms and Conditions of Use

FLA INDUSTRY STANDARD FOR FINANCIAL CRIME PREVENTION IN MOTOR FINANCE CREDIT APPLICATION PROCESSING

GUIDE FOR THE ASSESSMENT OF CREDIT TRANSFER SCHEMES AGAINST THE OVERSIGHT STANDARDS

Terms of business for Internetbanking George (as per July 2018)

Consultation Paper on draft Guidelines on fraud reporting requirements under Article 96(6) of Directive (EU) 2015/2366 (PSD2)

IDENTITY THEFT DETECTION POLICY

LAMDA CARD SERVICES GENERAL TERMS AND CONDITIONS FOR PREPAID CARDS (Applicable to all Card Profiles)

Commonwealth Digital Transformation Agency (DTA)

Draft EBA Guidelines on fraud reporting requirements

PSD2 and draft EBA RTS: a lot of issues remain unclear. Scott McInnes, Bird & Bird LLP. 3 May 2017

IMPORTANT ACCOUNT INFORMATION FOR OUR CUSTOMERS from. The Tri-County Bank 106 N Main St Stuart, NE (402)

The European Point of View

American Express SafeKey Frequently Asked Questions

DATA PROCESSING ADDENDUM

A report showing the merchant s settlement. The acquirer settlement report is generated by the acquiring bank at the end of every billing cycle.

Transcription:

SecuRe Pay Forum Recommendations for the security of internet payments Comments of German Banking Industry Committee (GBIC) General Comments The aim to achieve finality and non-repudiation of remote payments is generally supported. However, the Forum should take into consideration that PSPs with their service offering for remote payments compete with other providers which seem to be exempted from the proposed recommendation. Such exemptions do not only create disparities in competition, but they could also cause a heterogeneous customer experience when carrying out remote transactions. Already from a competition point of view, it is necessary that all kind of remote payments, regardless whether they have been initiated via cards, CT, SD, via a transfer of money between e-money accounts, via a credit transfer where a third party accesses the customer's account or via corporate cards or even anonymous cards, are subject to the same recommendations without any exemption. Some clarification would be appreciated concerning the scope as it is not clear whether online banking offering SCT and SDD is affected. Online banking is not a scheme but an individual service offered by banks to their customers only. In addition, it is up to each individual bank to decide to offer online banking services or not. Remote payments are offered by schemes which are competing with each other. Therefore, the proposed recommendations should rather address such schemes than individual PSPs, who are anyhow obliged to follow the rules of the schemes they are participating in. Finally, it is up to the various remote payment schemes to incorporate the proposed recommendations in their scheme rules and to require implementation by their participants. The implementation of strong customer authentication is indeed an appropriate means to achieve non-repudiation of transactions. However, the proposed recommendations should not only clarify that the implementation of other authentication means than a strong customer authentication will not lead to a proof that the customer has authorised the transaction, but it should also clarify that in case of a strong customer authentication a clear proof of authorisation by the customer is given.

If strong customer authentication is implemented, which delivers finality and non-repudiation of transactions, the level of monitoring should be proportionate to the level of security required and strength of the customer authentication method used. If a transaction is clearly attributable to the customer and to the merchant any fraudulent transaction can have occurred only due to gross negligence of the customer or the merchant. PSPs should not be required to implement additional systems to detect and prevent potential gross negligent behaviour of their customers. This would go beyond what PSPs could provide and it could even dilute the responsibilities between customer and PSPs in terms of reasonable care. Whether PSPs are offering to their customers additional means allowing steering their risk individually with remote payments should be left to the individual product policy of the PSPs. Recommendation 1 Governance Recommendation 2 Risk identification and assessment Recommendation 3 Monitoring and reporting Recommendation 4 Risk control and mitigation KC 4.2 seems to go too far into technical details because they could hamper quick responses to new security threats. It is expected to restrict the recommendations to technologyindependent security aims rather than specific technical implementations. In addition it should be taken into account that a strong customer authentication provides a very good means to mitigate many of the risks addressed in KC 4.2, so that some of the additional security measures may prove not to be necessary. In line with Recommendation 2 it should be left to the individual risk assessment on scheme level to define the detailed security measures to be applied to achieve the ultimate aim of finality and non-repudiation.

Recommendation 5 Traceability Recommendation 6 Initial customer identification, information KC 6.1 It must be assured that the identification procedures have to applied to all providers of internet payments, not only PSPs. KC 6.2 There are too many detailed requirements, PSD Article 42 seems to be sufficient. KC 6.3 It should be clarified that there is no requirement for PSPs to control the spending behaviour of customers generally. Whether PSPs are offering to their customers additional means allowing steering their risk individually with remote payments should be left to the individual product policy of the PSPs. Furthermore it should be taken into account that the requirements of the PSD has already led to a huge increase of information provided by PSPs to customers, which has caused not only considerable costs, but also complaints from customers. The implementation of specific information duties for PSPs with regard to remote payments could increase the amount of information to be given to the customer and it could even be detrimental to the wide-spread acceptance of such remote payment systems. Recommendation 7 Strong customer authentication Recommendation 7 goes too far into technical details because they could hamper quick responses to new security threats. The recommendations should be restricted to technologyindependent security aims rather than specific technical implementations. In addition it should be taken into account that a strong customer authentication could already mitigate many of the risks addressed in Recommendation 7, so that some of the additional security measures may prove not to be necessary. In line with Recommendation 2 it should be left to the individual risk assessment on scheme level to define the detailed security measures to be applied to achieve the ultimate aim of finality and non-repudiation. Accordingly also the liability shift as proposed in KC 7.6 might be dispensable and should not be required as a general rule anyway.

Furthermore it should be taken into account that 3D-Secure is not an example for strong authentication method but just a protocol which could enable strong authentication. In addition, CVx2 is not comparable to a strong authentication mechanism, as breaches are possible and known. Accordingly, it is proposed to delete any reference to a specific implementation (i.e. 3D-Secure and CVx2) and just to refer to the security aims to be achieved. KC 7.1 The requirements regarding e-mandates should be reconsidered as e-mandates are used only for information and do not initiate final payments. KC 7.2 It should be clarified that access to account balance information, balance history etc (eg log in to online banking) is out of scope. Recommendation 8 Enrolment for and provision of strong authentication tools Also Recommendation 8 - although agreeable in terms of it's aims - seems to go too far into technical details. It is expected to restrict the recommendations to technology-independent security aims rather than specific technical implementations. With regard to card payments it should be taken into account that PSPs may have already well-accepted procedures in place for providing customers with security credentials like cards and PINs which may not necessarily comply with the detailed provisions of Recommendation 8, but which have proven to be very effective. Recommendation 9 Log-in attempts, session time-out, validity of authentication Recommendation 9 is going too far into technical detail. The Recommendation shall be limited to security aims, which have to be considered in the security policy of any scheme providing remote payments and where appropriate measures have to be defined to achieve these aims. Recommendation 10 Transaction monitoring and authorisation The level of monitoring should be proportionate to the level of security required and strength of the customer authentication method used. For example, real time fraud detection and prevention systems are only indispensable in the case of real time authorisation, guarantee or settlement. It should also be clear that whilst the role of the issuer is key in detecting fraudulent activity, the acquirers can also help their customer base in the reduction of potential fraud.

It should be clarified that there is no requirement for PSPs to control the spending behaviour of customers. Whether PSPs are offering to their customers additional means of steering their risk with remote payments should be left to the individual product policy of the PSPs. Recommendation 11 Protection of sensitive payment data According to Recommendation 2 any scheme should be required to assess the risks associated with its remote payment scheme. This risk assessment should identify the risks and threats to the scheme and it should identify which data have to be considered as sensitive together with the measures to protect these data. As such Recommendation 11 is regarded as dispensable and it should not require the implementation of specific technical solutions regardless of the individual security assessment for the scheme affected. Recommendation 12 Customer education and communication Customer information takes already place today to a large extent and there is no need to require further customer information with regard to remote payments. It should be taken into account that the implementation of the PSD has already led to a huge increase of information to customers, which has caused not only considerable costs, but also complaints from customers. The implementation of specific information duties for PSPs with regard to remote payments could increase the amount of information to be given to the customer and it could even be detrimental to the wide-spread acceptance of such remote payment systems. In general: information only if the measures used for remote payment need to be explicitly explained. Recommendation 13 Notifications, setting of limits As explained above, the implementation of additional means for customers to control their spending behaviour should be left to the product policy of individual banks. The implementation of such measures is considered as something which goes beyond the security of payments, with the potential to create an additional safety feeling from the point of view of the customer. Recommendation 14 Verification of payment execution by the customer No comment

Comment to Annex All of the recommendations seem already to be covered by the existing PSD and its implementation into national law. There is no need to change the PSD in this respect, especially with regard to the information to be delivered to customers or liability.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback