13 Dec 2013 THE NEW PAYMENT SERVICES DIRECTIVE SHOULD CONTRIBUTE TO RAMP-UP DIGITAL PAYMENTS WHILE ENSURING SECURITY OF USERS
EUROSMART POSITION PAPER ON THE 2nd PAYMENT SERVICES DIRECTIVE
Eurosmart welcomes the new Directive Proposal for a Directive on Payment services in the internal market 2013/0264 (COD) or ‘PSD2’ as a major step towards secure mobile transactions across the European Union. Mobile and Internet payment services – proximity and remote – are widely expected to become an important channel for financial services. Already today consumer behavior mandates multi-screen and multi-channel payment capabilities with strong focus on the mobile channel.
The emphasis of end user protection based on strong user authentication in the PSD2 is recognized by Eurosmart as critical success factor to enable innovation and competition while maintaining end user protection. Similarly the inclusion of Third Party Payments in the scope of the PSD2 helps to provide a level playing field for payment services bearing in mind the security of the end users.
Eurosmart sees the new Payment Services Directive as an opportunity to ensure a high-level of privacy and security for users. Eurosmart believes smart card technology is a key enabler for mobile and remote payment interoperability today and in the future, and expresses the following recommendations:
1) Overcome the lack of standardization across countries and across payment schemes
o Take into account existing standards: smart cards have a proven track record for interoperability and global acceptance, and due account should be paid to existing standards drawn up by organisations such as the CEN, the ETSI, Global Platform or EMVCO o Associate the whole EU Payments Industry to the drafting of security standards made by the EBA, as they have an in-depth expertise and knowledge of security requirements o Ensure that the EBA submits draft technical standards to the European Commission within 12 months after the Directive is fully implemented, to prevent too much delay and market fragmentation o Build on the work of the SecurePay Forum when drafting the requested technical guidelines
2) Ensure the end-to-end security for payment credentials
o Protect the payment transaction from end to end: from the client side to the back-end server of the PSP and ensure a level playing field between all players o Make sure that the elements that are the basis for a strong customer authentication (knowledge, ownership, inherence) meet state-of-the-art security principles o Make sure that a third party payment service provider that initiates a payment transaction on behalf of the payer shall support the same strong authentication level as offered by the account holding payment service provider. Make sure that the account servicing payment service provider shall allow the third party payment service provider to rely on the authentication methods of the former when acting on behalf of the payment service user under reasonable conditions.
3) Tackle fraud before it happens
o Take all necessary measure before the actual fraud happens: Allowing reimbursement is positive, but a payment user has to detect that he has been subject to fraud and then need to undergo a tedious claiming process.
4) Introduce the definition of mobile payments