conejota - Fotolia

European regulation shakes up online payments security

Payment service providers and merchants should lose no time in assessing the affect of proposed European security regulations

The European Commission (EC) is bringing in regulations to improve the security of online e-commerce payments that will have significant implications for the way individuals and companies do business online. 

Whilst the regulations are not only about security – they also seek to bring more payment services under regulation and to help open the market up to new entrants – this piece will focus on some of the security matters.

Data breaches
are rarely out of the news and many people are concerned about how secure it is to do business online. According to the latest data, European card fraud losses hit €1.55bn in 2013. 

The majority of this was card-not-present fraud, which has been increasing year-on-year. Payment service provider WorldPay reported more than 133,000 fraudulent transactions in March 2015 alone for the UK, equating to stolen card details being used every 20 seconds.

To address this problem, European authorities brought together supervisors of payment service providers (PSPs) and overseers of payment systems in the European Union (EU) in 2011, forming the European Forum on the Security of Retail Payments (SecuRe Pay). The European Central Bank published SecuRe Pay’s Recommendations for the security of internet payments in January 2013.

Subsequently, the European Banking Authority (EBA), an independent EU authority working to ensure effective and consistent prudential regulation and supervision across the European banking sector, published guidelines on the security of internet payments in December 2014. 

These guidelines are intended to provide a legal basis for the consistent implementation of the requirements across the 28 EU member states.

Guidelines against online fraud

The EBA also published an Assessment guide for the security of internet payments, which is intended for bodies that have supervisory and oversight responsibility and assess compliance with the internet recommendations in the member states. In the UK, this is the Financial Conduct Authority (FCA).  

“We are fully supportive of the objectives behind the guidelines and agree with the importance of consumers being protected against fraud when making payments online,” said the FCA on its website. 

“Ensuring the security of payments and the protection of sensitive customer data is a critical part of the infrastructure of robust payment systems,” it added.

What are the security requirements?

The security recommendations are primarily aimed at payment service providers and include matters such as:

  1. Segregation of duties in information technology.
  2. Hardening servers with secure configurations.
  3. Applying “least privilege” principles to access control.
  4. Limiting login attempts.
  5. End-to-end encryption.
  6. Logging.
  7. Change management.

One of the key recommendations is that PSPs should implement “strong authentication” for customers when registering cards, making credit transfers and making card payments. 

Strong authentication means “two-factor authentication”, a combination of something the user knows, such as a PIN or password; something they have, such as a token, smartcard or mobile phone; or something the user “is”, such as a biometric. The two elements must be independent, so a compromise of one does not compromise the other.

An interesting additional recommendation is that authentication “could include elements linking the authentication to a specific amount and payee”. This aims to increase confidence in the transaction, but might present some technological challenges.  

A second significant recommendation is that acquiring PSPs should require their merchants to make a clear distinction between the online shop and the payment process, allowing customers to know when they are communicating with the merchant and when they are communicating with the PSP. 

Payment processes  

Practice currently varies, with many PSPs offering a number of different options for merchants to pass transactions from the merchant website to the PSP. Some merchants prefer to use a process where the merchant’s web server causes the customer’s web browser to run code that sends the card payment details directly to the PSP without touching the merchant’s website.

This is often done so the customer does not know the payment is going to the PSP, therefore presenting a more “seamless” experience. Other merchants clearly redirect the customer from their site to the PSP’s site before the customer enters any card data. Presenting an iframe from the PSP on the merchant’s website is an intermediate approach.

There is already some regulatory advantage to using an iframe or redirect, as these approaches allow a merchant to qualify for reduced compliance requirements under the Payment Card Industry Data Security Standard (PCI DSS), compared with the approach of sending code to the customer’s web browser or handling the payment entirely themselves.  

The EBA guidelines, however, specifically call out the use of an iframe from the PSP presented on the merchant’s website. As a result, it looks as though the full redirect from the merchant’s website to the PSP’s web page will have to be the preferred approach in the future. This will require changes to the e-commerce processes for many merchants.  

It may also have a major impact on entrants to the PSP market, whose business model is based on providing code to merchants to run on the merchant’s web server, passing the payment transaction to the PSP.

Payment service directive

The EBA is seeking to implement the security regulations in the legal framework put in place by the EC’s payment service directive (PSD)

The PSD is currently being updated, with the revision – PSD2 – bringing another significant change. PSD2 extends the regulations to include third parties or payment initiation service providers (PISPs). 

This refers to when the merchant presents customers with the option of making a payment via a third party, with whom the customer has an existing account and who – in turn – recovers the funds from the customer’s credit card or bank account. PSD2 brings these providers into the same regulatory framework and will require the same security controls.  

PSD2 further requires close integration between such suppliers and payment service providers, especially around customer authentication. Article 87 states: “The account servicing payment service provider shall allow the third-party payment service provider to rely on the authentication methods of the former when acting on behalf of the payment service user.” 

The combination of strong authentication for making payments and sharing authentication processes between banks, PSPs and third-party PISPs will present business, legal and technical challenges.

What next?

The proposed timetable for implementation is not fixed due to the complexity of the European regulation process and the need to adopt the regulations at national level. However, the EBA has given an implementation date of August 2015 for the security guidelines.  

It should be noted that the guidelines are closely associated with the PSD. The EBA guidelines come into force under the existing PSD, and the new PSD2 may add further security requirements that will be added into a revision of the guidelines.

PSD2 is still going through finalisation and will probably not become law until 2017. In the UK, the Financial Conduct Authority says it “will be incorporating the detail of the requirements of the guidelines into our supervisory framework in line with the revised PSD2 transposition timeline”.  

In the meantime, payment service providers and merchants that might be affected by these requirements should lose no time in assessing their impact on existing and planned business processes and remain engaged with industry bodies and security advisors.

Stephen Hancock is cyber security expert at 7Safe, PA Consulting Group’s technical security practice.

Read more on Regulatory compliance and standard requirements