21 October 2014

ECB seeks to improve online payments security

31 January 2013  |  9013 views  |  5 Security

The European Central Bank has outlined plans to improve the security of Internet payments, requiring firms to beef up their customer authentication processes.

Following a two month public consultation, the central bank has set out its harmonised, minimum security recommendations, which it calls "an important set of guidelines in the fight against payment fraud".

The key plank of the plans requires payment service providers and the governance authorities of payment schemes to protect the initiation of online payments, as well as access to sensitive transaction data, through "strong customer authentication".

In addition, firms should limit the number of log-in or authentication attempts, define rules for Internet payment services session "time out" and set time limits for the validity of authentication.

Transaction monitoring mechanisms must be designed to prevent, detect and block fraudulent payment transactions, while multiple layers of security defences must be roll out in order to mitigate identified risks.

Customers should also be given assistance and guidance about best online security practices and provided with tools to help customers monitor transactions.

The recommendations will be integrated into existing oversight frameworks for payment schemes and supervisory frameworks for PSPs and will have to be implemented by 1 February 2015.

Read the full set of recommendations here

Comments: (5)

Riten Gohil - Sphonic - London | 31 January, 2013, 17:23

So this has finally come to it's conclusion and one wonders how much consideration was given to the pressing demands of the emerging digital environment. Reading through some of the detail there appears some flexibility for PSPs but I think the science behind what is considerd "Strong Authentication" will be hard to police. Best practice would be a risk-based authentication environment, with strong authentication initiated when a high-risk tansaction is detected. 

It requires local regulators to understand the commercial pressures of the burgeoing eCommerce world, without following a "tick box" approach for a world that is changing quicker than regulation allows. 

Interesting times ahead, requires sensible thought. 

 

 

 

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 01 February, 2013, 18:46

It might be a good idea to join this up with LEI and other projects to identify the corporate/consumer. There needs to be more consumer involvment and prevent or limit concerns arround Big Brother 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 01 February, 2013, 18:52

Additional authentication inevitably increases friction in online payments and causes shopping cart abandonment, which results in loss of revenues. On the other hand, it is likely to reduce fraud loss. I hope the regulators leave it to e-tailers to evaluate which of these two factors proves to be of greater importance in their specific context and decide whether or not to implement tighter security.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 01 February, 2013, 19:02

Hey, who would deal on a site without tight security? Security or not is not an option. Every site must be as secure as possible and there is no trade off. Its a great way to lose your business though

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 02 February, 2013, 20:20

Tell an online shopper that a certain website is insecure and, sure, she'll not go near it. On the other hand, tell her that the website has implemented the latest in security technologies and will shunt her between five different websites and lose her payment once in 12 times (Cf. Skating Away With Online Payments on my company blog). Think she'll praise all the security measures and keep trying till her payment goes through? Unlikely. As I'd highlighted in The Death Of Cash Is At Least 190 Years Away, she's more likely to pay with cash. So, there's a clear trade-off between security and convenience and, as the most interested party to the transaction, the merchant should be free to decide how to strike the trade-off.

Most ecommerce websites in the USA lack security by ROW standards in that they don't use 2FA and some of them don't even ask for CVV #s. Have they lost business? No, sir, USA remains the largest ecommerce market in the world. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board, sign up now.

Related blogs

Create a blog about this story (membership required)

Related stories

15 January, 2013
01 October, 2012
22 August, 2012

Related company news

 

Who is commenting?

Featured job

£Six figure package
Central London

Find your next job