Last friday, we published our response to the draft recommendations for the security of mobile payments. These draft recommendations were developed by the European Forum on the Security of Retail Payments, SecuRe Pay. This is a group of EU supervisors that are working together to establish a harmonised EU/EEA-wide minimum level of security.
In our response we outlined the following issues:
- A risk analysis is an appropriate basis for assessing the circumstances when strong authentication is required. A broader approach would take into account a range of factors.
- We propose the expansion of the definition of strong authentication to incorporate a fourth factor, that of ‘something that is consistently associated with the user’ to cater for the specific nature of the mobile ecosystem and the ICT-security developments.
- An important ingredient in this process is customer convenience, and this merits further consideration. A cumbersome process may lead to customer frustration and abandonment of transactions, or to avoidance strategies that compromise security objectives.
- Greater distinction could be made between near field communication (NFC) transactions, m-commerce (browser-based) transactions and other mobile-based models such as SMS. The risk scenarios are distinct and the application of the recommendations to the different platforms would benefit from clarification.
- In order to be able to offer services on a pan European basis, payment providers would benefit from equivalent adoption of the recommendations by different member states, and a recognition of the competence of the home member state with regards to such prudential regulatory provisions.
Next steps
The SecuRe Pay forum will now study the responses to the consultation and draft a final version that is likely to be released in February 2015. The final recommendations will then become an important basis for the further security guidelines that the European Banking Authority will be asked to draft under the current proposal for the Payment Services Directive.