Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/14/2019
11:50 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek
50%
50%

Problems With EU Payment Security Persist

Proposed new security procedures within the EU have troubled some payment service providers, leading to the postponement of their implementation.

The revised EU Payment Services Directive (PSD2) aims to modernize Europe's payment services. It promotes more secure payments and better consumer protection. But the new security procedures troubled some payment service providers, so tighter payment security in the EU has been postponed.

Consumers would benefit from cheaper, safer and more innovative electronic payments, so the European Commission emphasized when they presented the revised EU Payment Services Directive (PSD2). Valdis Dombrovskis, at that time vice president responsible for Financial Stability, Financial Services and Capital Markets Union said: "This legislation is another step towards a digital single market in the EU. It will promote the development of innovative online and mobile payments, which will benefit the economy and growth. Consumers will also be better protected when they make payments."

On September 14, 2019, the strong customer authentication (SCA) requirement of the revised Directive on payment services (PSD2) came into force. Through this, PSD2 obliges payment service providers to apply "strong customer authentication" when a payer initiates an electronic payment transaction.

Some EU Member States, such as Belgium, the Netherlands and Sweden, already used SCAs for electronic remote payment transactions, be it a card payment or a credit transfer from an online bank. In some other EU countries, some payment service providers apply SCA on a voluntary basis.

Under PSD2, banks and other payment service providers will have to put in place the necessary infrastructure for SCA. They will also have to improve fraud management. Merchants will have to be equipped to be able to operate in a SCA environment.

"Creating security in e-commerce is a continual process," says Markus Schaffrin, security expert at eco – Association of the Internet Industry. "The rules of the PSD2 are a good way of making sure that customers do not need to fear identity theft or having their payment details abused."

The Commission Delegated Regulation (EU) 2018/389 also assists in the security of payments that are carried out in batches. This is the way most corporations make payments, rather than one by one. The new rules also take into account host-to-host machine communication, where, for example, the IT system of a company communicates with the IT system of a bank to send messages for paying invoices.\r\nAlthough the European Commission called on all EU Member States to ensure speedy and full implementation of all these rules, some stakeholders are still working to put these technological and practical changes in place.

The European Banking Authority (EBA) acknowledged the challenges experienced by some stakeholders in introducing SCA fully by September 14. The EBA therefore adopted an Opinion allowing national supervisors to enforce the new SCA rules for online payments by cards with a degree of flexibility, granting, where necessary, "limited additional time" to migrate to compliant authentication methods. Consumers should continue to pay as normal in Member States that decide to take advantage of this flexibility. At the end of this period of time, consumers will be asked to perform the two-factor strong customer authentication, unless an exemption applies.

The German digital association Bitkom has expressed relief that the financial supervision does not want to consistently enforce the new rules applicable from September 14 on online card payments due to the existing implementation problems. At the same time, Bitkom recommends extending this transitional period to 18 months in the case of "strong customer authentication". This period would be necessary and sufficient to ensure implementation for payment services, technical service providers and retailers. In addition, the transitional period would allow the necessary tests of the new payment routines.

On October 16, 2019, the European Banking Authority (EBA) published the deadline for the migration to SCA under the revised Payment Services Directive (PSD2) for e-commerce card-based payment transactions. The deadline has been set to December 31, 2020.\r\nWhile the payment service providers welcome the long transition period, the customers are still waiting for more payment security in the EU. The new payment study by the Bundesverband Digitale Wirtschaft (BVDW) e.V. has shown that 64.4% of Germans do not want to restrict their shopping behavior in online shops despite the EU's new Payment Services Directive (PSD2). Additionally, 13.1% of respondents (n = 1,047) welcome the new heightened security measures and want to shop even more online.

According to a new representative study by the German Gesellschaft für Konsumforschung (GfK), 45% of consumers think the introduction of the new EU regulation is a good thing. Although online shoppers still have to get used to the new procedures of their card-issuing banks and savings banks, the new regulation brings significantly more security.

"We expect biometric authentication to become more important with two-factor authentication, and many smartphone owners are already using their fingerprint or face recognition feature to unlock their mobile phone," said Peter Bakenecker, division president for Germany and Switzerland at Mastercard. "In particular, purchases with mobile devices can be completed safe and convenient with just one click, without having to enter an unwieldy password or a PIN during the payment process."

But some customers will have to wait for the better payment security in the EU, maybe until the end of 2020, while in some EU countries and many countries outside the EU the strong customer authentication already works without any problems.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Average Cost of a Data Breach: $3.86 Million
Jai Vijayan, Contributing Writer,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-18112
PUBLISHED: 2020-08-05
Affected versions of Atlassian Fisheye allow remote attackers to view the HTTP password of a repository via an Information Disclosure vulnerability in the logging feature. The affected versions are before version 4.8.3.
CVE-2020-15109
PUBLISHED: 2020-08-04
In solidus before versions 2.8.6, 2.9.6, and 2.10.2, there is an bility to change order address without triggering address validations. This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipm...
CVE-2020-16847
PUBLISHED: 2020-08-04
Extreme Analytics in Extreme Management Center before 8.5.0.169 allows unauthenticated reflected XSS via a parameter in a GET request, aka CFD-4887.
CVE-2020-15135
PUBLISHED: 2020-08-04
save-server (npm package) before version 1.05 is affected by a CSRF vulnerability, as there is no CSRF mitigation (Tokens etc.). The fix introduced in version version 1.05 unintentionally breaks uploading so version v1.0.7 is the fixed version. This is patched by implementing Double submit. The CSRF...
CVE-2020-13522
PUBLISHED: 2020-08-04
An exploitable arbitrary file delete vulnerability exists in SoftPerfect RAM Disk 4.1 spvve.sys driver. A specially crafted I/O request packet (IRP) can allow an unprivileged user to delete any file on the filesystem. An attacker can send a malicious IRP to trigger this vulnerability.