Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/14/2019
11:50 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek
50%
50%

Problems With EU Payment Security Persist

Proposed new security procedures within the EU have troubled some payment service providers, leading to the postponement of their implementation.

The revised EU Payment Services Directive (PSD2) aims to modernize Europe's payment services. It promotes more secure payments and better consumer protection. But the new security procedures troubled some payment service providers, so tighter payment security in the EU has been postponed.

Consumers would benefit from cheaper, safer and more innovative electronic payments, so the European Commission emphasized when they presented the revised EU Payment Services Directive (PSD2). Valdis Dombrovskis, at that time vice president responsible for Financial Stability, Financial Services and Capital Markets Union said: "This legislation is another step towards a digital single market in the EU. It will promote the development of innovative online and mobile payments, which will benefit the economy and growth. Consumers will also be better protected when they make payments."

On September 14, 2019, the strong customer authentication (SCA) requirement of the revised Directive on payment services (PSD2) came into force. Through this, PSD2 obliges payment service providers to apply "strong customer authentication" when a payer initiates an electronic payment transaction.

Some EU Member States, such as Belgium, the Netherlands and Sweden, already used SCAs for electronic remote payment transactions, be it a card payment or a credit transfer from an online bank. In some other EU countries, some payment service providers apply SCA on a voluntary basis.

Under PSD2, banks and other payment service providers will have to put in place the necessary infrastructure for SCA. They will also have to improve fraud management. Merchants will have to be equipped to be able to operate in a SCA environment.

"Creating security in e-commerce is a continual process," says Markus Schaffrin, security expert at eco – Association of the Internet Industry. "The rules of the PSD2 are a good way of making sure that customers do not need to fear identity theft or having their payment details abused."

The Commission Delegated Regulation (EU) 2018/389 also assists in the security of payments that are carried out in batches. This is the way most corporations make payments, rather than one by one. The new rules also take into account host-to-host machine communication, where, for example, the IT system of a company communicates with the IT system of a bank to send messages for paying invoices.\r\nAlthough the European Commission called on all EU Member States to ensure speedy and full implementation of all these rules, some stakeholders are still working to put these technological and practical changes in place.

The European Banking Authority (EBA) acknowledged the challenges experienced by some stakeholders in introducing SCA fully by September 14. The EBA therefore adopted an Opinion allowing national supervisors to enforce the new SCA rules for online payments by cards with a degree of flexibility, granting, where necessary, "limited additional time" to migrate to compliant authentication methods. Consumers should continue to pay as normal in Member States that decide to take advantage of this flexibility. At the end of this period of time, consumers will be asked to perform the two-factor strong customer authentication, unless an exemption applies.

The German digital association Bitkom has expressed relief that the financial supervision does not want to consistently enforce the new rules applicable from September 14 on online card payments due to the existing implementation problems. At the same time, Bitkom recommends extending this transitional period to 18 months in the case of "strong customer authentication". This period would be necessary and sufficient to ensure implementation for payment services, technical service providers and retailers. In addition, the transitional period would allow the necessary tests of the new payment routines.

On October 16, 2019, the European Banking Authority (EBA) published the deadline for the migration to SCA under the revised Payment Services Directive (PSD2) for e-commerce card-based payment transactions. The deadline has been set to December 31, 2020.\r\nWhile the payment service providers welcome the long transition period, the customers are still waiting for more payment security in the EU. The new payment study by the Bundesverband Digitale Wirtschaft (BVDW) e.V. has shown that 64.4% of Germans do not want to restrict their shopping behavior in online shops despite the EU's new Payment Services Directive (PSD2). Additionally, 13.1% of respondents (n = 1,047) welcome the new heightened security measures and want to shop even more online.

According to a new representative study by the German Gesellschaft für Konsumforschung (GfK), 45% of consumers think the introduction of the new EU regulation is a good thing. Although online shoppers still have to get used to the new procedures of their card-issuing banks and savings banks, the new regulation brings significantly more security.

"We expect biometric authentication to become more important with two-factor authentication, and many smartphone owners are already using their fingerprint or face recognition feature to unlock their mobile phone," said Peter Bakenecker, division president for Germany and Switzerland at Mastercard. "In particular, purchases with mobile devices can be completed safe and convenient with just one click, without having to enter an unwieldy password or a PIN during the payment process."

But some customers will have to wait for the better payment security in the EU, maybe until the end of 2020, while in some EU countries and many countries outside the EU the strong customer authentication already works without any problems.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41393
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows forgery of SSH host certificates in some situations.
CVE-2021-41394
PUBLISHED: 2021-09-18
Teleport before 4.4.11, 5.x before 5.2.4, 6.x before 6.2.12, and 7.x before 7.1.1 allows alteration of build artifacts in some situations.
CVE-2021-41395
PUBLISHED: 2021-09-18
Teleport before 6.2.12 and 7.x before 7.1.1 allows attackers to control a database connection string, in some situations, via a crafted database name or username.
CVE-2021-3806
PUBLISHED: 2021-09-18
A path traversal vulnerability on Pardus Software Center's "extractArchive" function could allow anyone on the same network to do a man-in-the-middle and write files on the system.
CVE-2021-41392
PUBLISHED: 2021-09-17
static/main-preload.js in Boost Note through 0.22.0 allows remote command execution. A remote attacker may send a crafted IPC message to the exposed vulnerable ipcRenderer IPC interface, which invokes the dangerous openExternal Electron API.