Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11:50 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek

Problems With EU Payment Security Persist

Proposed new security procedures within the EU have troubled some payment service providers, leading to the postponement of their implementation.

The revised EU Payment Services Directive (PSD2) aims to modernize Europe's payment services. It promotes more secure payments and better consumer protection. But the new security procedures troubled some payment service providers, so tighter payment security in the EU has been postponed.

Consumers would benefit from cheaper, safer and more innovative electronic payments, so the European Commission emphasized when they presented the revised EU Payment Services Directive (PSD2). Valdis Dombrovskis, at that time vice president responsible for Financial Stability, Financial Services and Capital Markets Union said: "This legislation is another step towards a digital single market in the EU. It will promote the development of innovative online and mobile payments, which will benefit the economy and growth. Consumers will also be better protected when they make payments."

On September 14, 2019, the strong customer authentication (SCA) requirement of the revised Directive on payment services (PSD2) came into force. Through this, PSD2 obliges payment service providers to apply "strong customer authentication" when a payer initiates an electronic payment transaction.

Some EU Member States, such as Belgium, the Netherlands and Sweden, already used SCAs for electronic remote payment transactions, be it a card payment or a credit transfer from an online bank. In some other EU countries, some payment service providers apply SCA on a voluntary basis.

Under PSD2, banks and other payment service providers will have to put in place the necessary infrastructure for SCA. They will also have to improve fraud management. Merchants will have to be equipped to be able to operate in a SCA environment.

"Creating security in e-commerce is a continual process," says Markus Schaffrin, security expert at eco – Association of the Internet Industry. "The rules of the PSD2 are a good way of making sure that customers do not need to fear identity theft or having their payment details abused."

The Commission Delegated Regulation (EU) 2018/389 also assists in the security of payments that are carried out in batches. This is the way most corporations make payments, rather than one by one. The new rules also take into account host-to-host machine communication, where, for example, the IT system of a company communicates with the IT system of a bank to send messages for paying invoices.\r\nAlthough the European Commission called on all EU Member States to ensure speedy and full implementation of all these rules, some stakeholders are still working to put these technological and practical changes in place.

The European Banking Authority (EBA) acknowledged the challenges experienced by some stakeholders in introducing SCA fully by September 14. The EBA therefore adopted an Opinion allowing national supervisors to enforce the new SCA rules for online payments by cards with a degree of flexibility, granting, where necessary, "limited additional time" to migrate to compliant authentication methods. Consumers should continue to pay as normal in Member States that decide to take advantage of this flexibility. At the end of this period of time, consumers will be asked to perform the two-factor strong customer authentication, unless an exemption applies.

The German digital association Bitkom has expressed relief that the financial supervision does not want to consistently enforce the new rules applicable from September 14 on online card payments due to the existing implementation problems. At the same time, Bitkom recommends extending this transitional period to 18 months in the case of "strong customer authentication". This period would be necessary and sufficient to ensure implementation for payment services, technical service providers and retailers. In addition, the transitional period would allow the necessary tests of the new payment routines.

On October 16, 2019, the European Banking Authority (EBA) published the deadline for the migration to SCA under the revised Payment Services Directive (PSD2) for e-commerce card-based payment transactions. The deadline has been set to December 31, 2020.\r\nWhile the payment service providers welcome the long transition period, the customers are still waiting for more payment security in the EU. The new payment study by the Bundesverband Digitale Wirtschaft (BVDW) e.V. has shown that 64.4% of Germans do not want to restrict their shopping behavior in online shops despite the EU's new Payment Services Directive (PSD2). Additionally, 13.1% of respondents (n = 1,047) welcome the new heightened security measures and want to shop even more online.

According to a new representative study by the German Gesellschaft für Konsumforschung (GfK), 45% of consumers think the introduction of the new EU regulation is a good thing. Although online shoppers still have to get used to the new procedures of their card-issuing banks and savings banks, the new regulation brings significantly more security.

"We expect biometric authentication to become more important with two-factor authentication, and many smartphone owners are already using their fingerprint or face recognition feature to unlock their mobile phone," said Peter Bakenecker, division president for Germany and Switzerland at Mastercard. "In particular, purchases with mobile devices can be completed safe and convenient with just one click, without having to enter an unwieldy password or a PIN during the payment process."

But some customers will have to wait for the better payment security in the EU, maybe until the end of 2020, while in some EU countries and many countries outside the EU the strong customer authentication already works without any problems.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-25
A specific version of the Node.js mongodb-client-encryption module does not perform correct validation of the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Node....
PUBLISHED: 2021-02-25
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in inte...
PUBLISHED: 2021-02-25
The restify-paginate package 0.0.5 for Node.js allows remote attackers to cause a Denial-of-Service by omitting the HTTP Host header. A Restify-based web service would crash with an uncaught exception.
PUBLISHED: 2021-02-25
A server-side request forgery (SSRF) vulnerability in Upgrade.php of gopeak masterlab 2.1.5, via the 'source' parameter.
PUBLISHED: 2021-02-25
Triconsole Datepicker Calendar <3.77 is affected by cross-site scripting (XSS) in calendar_form.php. Attackers can read authentication cookies that are still active, which can be used to perform further attacks such as reading browser history, directory listings, and file contents.