Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

11/14/2019
11:50 AM
Oliver Schonschek
Oliver Schonschek
Oliver Schonschek
50%
50%

Problems With EU Payment Security Persist

Proposed new security procedures within the EU have troubled some payment service providers, leading to the postponement of their implementation.

The revised EU Payment Services Directive (PSD2) aims to modernize Europe's payment services. It promotes more secure payments and better consumer protection. But the new security procedures troubled some payment service providers, so tighter payment security in the EU has been postponed.

Consumers would benefit from cheaper, safer and more innovative electronic payments, so the European Commission emphasized when they presented the revised EU Payment Services Directive (PSD2). Valdis Dombrovskis, at that time vice president responsible for Financial Stability, Financial Services and Capital Markets Union said: "This legislation is another step towards a digital single market in the EU. It will promote the development of innovative online and mobile payments, which will benefit the economy and growth. Consumers will also be better protected when they make payments."

On September 14, 2019, the strong customer authentication (SCA) requirement of the revised Directive on payment services (PSD2) came into force. Through this, PSD2 obliges payment service providers to apply "strong customer authentication" when a payer initiates an electronic payment transaction.

Some EU Member States, such as Belgium, the Netherlands and Sweden, already used SCAs for electronic remote payment transactions, be it a card payment or a credit transfer from an online bank. In some other EU countries, some payment service providers apply SCA on a voluntary basis.

Under PSD2, banks and other payment service providers will have to put in place the necessary infrastructure for SCA. They will also have to improve fraud management. Merchants will have to be equipped to be able to operate in a SCA environment.

"Creating security in e-commerce is a continual process," says Markus Schaffrin, security expert at eco – Association of the Internet Industry. "The rules of the PSD2 are a good way of making sure that customers do not need to fear identity theft or having their payment details abused."

The Commission Delegated Regulation (EU) 2018/389 also assists in the security of payments that are carried out in batches. This is the way most corporations make payments, rather than one by one. The new rules also take into account host-to-host machine communication, where, for example, the IT system of a company communicates with the IT system of a bank to send messages for paying invoices.\r\nAlthough the European Commission called on all EU Member States to ensure speedy and full implementation of all these rules, some stakeholders are still working to put these technological and practical changes in place.

The European Banking Authority (EBA) acknowledged the challenges experienced by some stakeholders in introducing SCA fully by September 14. The EBA therefore adopted an Opinion allowing national supervisors to enforce the new SCA rules for online payments by cards with a degree of flexibility, granting, where necessary, "limited additional time" to migrate to compliant authentication methods. Consumers should continue to pay as normal in Member States that decide to take advantage of this flexibility. At the end of this period of time, consumers will be asked to perform the two-factor strong customer authentication, unless an exemption applies.

The German digital association Bitkom has expressed relief that the financial supervision does not want to consistently enforce the new rules applicable from September 14 on online card payments due to the existing implementation problems. At the same time, Bitkom recommends extending this transitional period to 18 months in the case of "strong customer authentication". This period would be necessary and sufficient to ensure implementation for payment services, technical service providers and retailers. In addition, the transitional period would allow the necessary tests of the new payment routines.

On October 16, 2019, the European Banking Authority (EBA) published the deadline for the migration to SCA under the revised Payment Services Directive (PSD2) for e-commerce card-based payment transactions. The deadline has been set to December 31, 2020.\r\nWhile the payment service providers welcome the long transition period, the customers are still waiting for more payment security in the EU. The new payment study by the Bundesverband Digitale Wirtschaft (BVDW) e.V. has shown that 64.4% of Germans do not want to restrict their shopping behavior in online shops despite the EU's new Payment Services Directive (PSD2). Additionally, 13.1% of respondents (n = 1,047) welcome the new heightened security measures and want to shop even more online.

According to a new representative study by the German Gesellschaft für Konsumforschung (GfK), 45% of consumers think the introduction of the new EU regulation is a good thing. Although online shoppers still have to get used to the new procedures of their card-issuing banks and savings banks, the new regulation brings significantly more security.

"We expect biometric authentication to become more important with two-factor authentication, and many smartphone owners are already using their fingerprint or face recognition feature to unlock their mobile phone," said Peter Bakenecker, division president for Germany and Switzerland at Mastercard. "In particular, purchases with mobile devices can be completed safe and convenient with just one click, without having to enter an unwieldy password or a PIN during the payment process."

But some customers will have to wait for the better payment security in the EU, maybe until the end of 2020, while in some EU countries and many countries outside the EU the strong customer authentication already works without any problems.

— Oliver Schonschek, News Analyst, Security Now

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.
CVE-2020-13404
PUBLISHED: 2020-08-05
The ATOS/Sips (aka Atos-Magento) community module 3.0.0 to 3.0.5 for Magento allows command injection.
CVE-2020-15112
PUBLISHED: 2020-08-05
In etcd before versions 3.3.23 and 3.4.10, it is possible to have an entry index greater then the number of entries in the ReadAll method in wal/wal.go. This could cause issues when WAL entries are being read during consensus as an arbitrary etcd consensus participant could go down from a runtime pa...