ECB consultation on security requirements for the security of mobile payments (deadline: January 31, 2014)

Yesterday, the European Central Bank (ECB) released a draft version of the Recommendations for the security of mobile payments for public consultation. These recommendations were developed by the European Forum on the Security of Retail Payments, SecuRe Pay (the “Forum”). In the Forum all EU supervisors work together with the aim to foster the establishment of a harmonised EU/EEA-wide minimum level of security. The consultation follows two previous consultations on requirements with respect to the security of internet payments and on third party account access.

The recommendations in the report are applicable to all Payment Service Provides (PSPs), as defined in the Payment Services Directive, when they provide mobile payment services as well as the governance authorities (GAs) of payment instrument schemes developing and offering mobile payment services. This includes card schemes, credit transfer schemes, direct debit schemes, e-money schemes, etc. These providers should implement the recommendations in two years after the publication of the final report (which is now estimated to be February 2017).

The report covers:

payments for which the payments data and the payment instruction are transmitted and/or confirmed via mobile communication and data transmission technology between the customer and his/her payment service provider in the course of an online or through a mobile device offline purchase of services, digital or physical goods 

and mentions three typical use cases:

  • an NFC-payment initiated from a mobile phone,
  • a QR payment via wireless networks or the network of a Mobile Network Operator,
  • peer-to-peer payments via the mobile phone.

Some mobile payments are excluded from the scope, such as those that use an NFC-sticker or those that require an add-on hardware device (turning the phone into a mobile POS-terminal).

Draft requirements
The draft report lists 5 key requirements, detailed in 14 recommendations, that Mobile Payment Solution Providers (MPSPs) and the involved Governance Authorities (scheme owners) must meet on a comply-or-explain basis:

  • MPSPs should have security, risk and control measures in place ensuring a level of security similar to that required by the internet recommendations. The security of the payment account should not be undermined by the performance of payment account access services.
  • MPSPs should protect the initiation of mobile payments, as well as access to sensitive payment data, by strong customer authentication.
  • MPSPs should implement a robust data protection mechanism to protect sensitive data wherever it is transmitted, processed or stored.
  • MPSPs should implement secure processes for authorising transactions, as well as robust processes for monitoring transactions and systems in order to identify abnormal customer payment patterns and prevent fraud.
  • MPSPs should engage in enhancing customer understanding and provide information on security issues related to the use of mobile payment services with a view to enabling customers to use such services in a safe and secure manner.

Next steps
The consultation period for these requirements ends on January 31, 2014 after which the ECB will draft a final version that is expected to be released in February 2015. It can be expected that the final recommendations will also become an important basis for the further security guidelines that the European Banking Authority is asked to draft under the current proposal for the Payment Services Directive.