European Central Bank proposes 2FA liability shift to boost Internet payment security

European Central Bank proposes 2FA liability shift to boost Internet payment security

The European Central bank has issued a set of recommendations to promote the security of payments made over the Internet.

The guidelines - applicable to all Payments Services Providers as defined in the EU-wide Payment Services Directive - outline 14 key recommendations that are designed to act as a set of minimum expectations. Implementation will be overseen by national supervisory authorities on a voluntary co-operative basis and based on the existing legal frameworks in host countries.

The recommendations are organised into three broad categories, covering general control and security, specific control and security measures for every step of the payment transaction process, and customer awareness, education and communication.

At the core of the proposals is a commitment to two-factor authentication as a mimimum requirement to verify the identity of a customer. Measures may include the use of passwords and PINs; tokens, cards and mobile phones; and biometrics.

"Where there is no or weak authentication procedure in place, in the event of a disputed transaction, PSPs cannot provide proof that the customer has authorised the transaction," states the report. "When strong authentication is used, it is for the issuer to prove that the cardholder has acted with gross negligence or intent."

It suggests the introduction of a liability shift in the Payment Services Directive to acknowledge the issue and further calls on the European Commission to set up an EU-wide utility for reporting and sharing information related to data security breaches.

Interested parties are invited to comment on the draft by 20 June 2012.

Read the full report:

Download the document now 960.6 kb (PDF File)

Comments: (4)

Pat Carroll
Pat Carroll - ValidSoft - London 20 April, 2012, 14:39Be the first to give this comment the thumbs up 0 likes

This is a positive development in the right direction from the European Central Bank. However, with the growing sophistication of hackers, a two factor authentication may not be sufficient any more (see my blog on Finextra). Security technology has advanced so that a four or even five factor authentication can be conducted with some of the layers being invisible. This enables both a sufficiently safe and a convenient way of safeguarding a transaction.


Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 23 April, 2012, 06:16Be the first to give this comment the thumbs up 0 likes

This is unwanted scare-mongering and will severly curtail online and mobile usage scenarios. As for curbing fraud, I'm not sure if it will help: Leading US ecommerce merchants like Amazon have still not implemented VbV or other forms of 2FA despite FFIEC releasing guidelines to this effect in 2005 and reiterating them in 2011, and I haven't come across any figures showing that they suffer greater fraud as a percentage of revenues as compared to their counterparts in EU and other countries where 2FA is common. 

IMHO, 2FA poses enough friction already. Any more factors and I predict that cash will enter online transactions - as it's already happening in India, where "Cash on Delivery" is the #1 payment mode for ecommerce purchases.

A Finextra member
A Finextra member 23 April, 2012, 08:37Be the first to give this comment the thumbs up 0 likes

I fully support this initiative if it helps reduce fraud and creates a common customer experience, though I too question whether two factor authentication is sufficient given how savvy fraudsters are becoming.

Part of the problem with 3D Secure is that it's not mandated, meaning that the customer experience varies from web site to web site with some merchants asking for authentication while others (such as Amazon) do not. If all cardholders were required to authenticate themselves in some way, as they do with chip and pin in a face to face environment, then they'll be more likely to remember their password when shopping on-line.

I'd also like to see some form of token based authentication introduced for telephone orders, supported by a liability shift as this doesn't exist at the moment.

Perhaps once two (or more) factor authentication is introduced internationally for face to face and cardholder not present transactions (if we ever get to that stage), being in possession of a card number on its own will have zero value and PCI-DSS will no longer be necessary - saving the industry many millions!

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 23 April, 2012, 14:46Be the first to give this comment the thumbs up 0 likes

Having just attempted to put through two CNP transactions in a country where 2FA / 3DS is mandated by the central bank, remembering one more password is the least of the friction. There are simply too many moving parts and even if each individually has 99%+ uptime, the end-to-end uptime is a lot lower and transaction failures are not uncommon. In my present example, one transaction succeeded whereas the other failed (because the issuing bank's 3DS was constantly timing out). I'm not sure if the issuer, acquirer and payments processor are aware that this transaction has failed, causing loss of revenue for the merchant. As for merchant, I don't know if he believes in "ignorance is bliss", is patting himself on the back for blocking a potential fraudulent transaction, or is upset with the others in the payments process flow for bungling this transaction. Perhaps, with its renowned use of A/B testing for over 10 years, an ecommerce leader like Amazon has a better idea about the potential of VbV / 3DS / 2FA to trigger transaction failures and cause false positives, which is why it has astutely chosen to avoid such technologies. I'm sure Amazon doesn't like fraud any more than other merchants but perhaps recognizes that fraud is a cost of doing business in the real world. 

Although the latest, the above is not my only experience with false positives caused by existing 2FA solutions. Maybe it's high time the regulators changed their focus. Instead of specifying even higher levels of security, they should insist that existing issues with 2FA are ironed out first and demand proof that 2FA has cumulatively prevented more fraud loss compared to the revenues it has lost due to false positives. I recall a banker saying, "only compliance, no transactions" in a somewhat similar context recently.