ECB seeks to improve online payments security

ECB seeks to improve online payments security

The European Central Bank has outlined plans to improve the security of Internet payments, requiring firms to beef up their customer authentication processes.

Following a two month public consultation, the central bank has set out its harmonised, minimum security recommendations, which it calls "an important set of guidelines in the fight against payment fraud".

The key plank of the plans requires payment service providers and the governance authorities of payment schemes to protect the initiation of online payments, as well as access to sensitive transaction data, through "strong customer authentication".

In addition, firms should limit the number of log-in or authentication attempts, define rules for Internet payment services session "time out" and set time limits for the validity of authentication.

Transaction monitoring mechanisms must be designed to prevent, detect and block fraudulent payment transactions, while multiple layers of security defences must be roll out in order to mitigate identified risks.

Customers should also be given assistance and guidance about best online security practices and provided with tools to help customers monitor transactions.

The recommendations will be integrated into existing oversight frameworks for payment schemes and supervisory frameworks for PSPs and will have to be implemented by 1 February 2015.

Read the full set of recommendations here

Comments: (5)

Riten Gohil
Riten Gohil - Sphonic - London 31 January, 2013, 17:23Be the first to give this comment the thumbs up 0 likes

So this has finally come to it's conclusion and one wonders how much consideration was given to the pressing demands of the emerging digital environment. Reading through some of the detail there appears some flexibility for PSPs but I think the science behind what is considerd "Strong Authentication" will be hard to police. Best practice would be a risk-based authentication environment, with strong authentication initiated when a high-risk tansaction is detected. 

It requires local regulators to understand the commercial pressures of the burgeoing eCommerce world, without following a "tick box" approach for a world that is changing quicker than regulation allows. 

Interesting times ahead, requires sensible thought. 





A Finextra member
A Finextra member 01 February, 2013, 18:46Be the first to give this comment the thumbs up 0 likes

It might be a good idea to join this up with LEI and other projects to identify the corporate/consumer. There needs to be more consumer involvment and prevent or limit concerns arround Big Brother 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 01 February, 2013, 18:52Be the first to give this comment the thumbs up 0 likes

Additional authentication inevitably increases friction in online payments and causes shopping cart abandonment, which results in loss of revenues. On the other hand, it is likely to reduce fraud loss. I hope the regulators leave it to e-tailers to evaluate which of these two factors proves to be of greater importance in their specific context and decide whether or not to implement tighter security.

A Finextra member
A Finextra member 01 February, 2013, 19:02Be the first to give this comment the thumbs up 0 likes

Hey, who would deal on a site without tight security? Security or not is not an option. Every site must be as secure as possible and there is no trade off. Its a great way to lose your business though

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 02 February, 2013, 20:20Be the first to give this comment the thumbs up 0 likes

Tell an online shopper that a certain website is insecure and, sure, she'll not go near it. On the other hand, tell her that the website has implemented the latest in security technologies and will shunt her between five different websites and lose her payment once in 12 times (Cf. Skating Away With Online Payments on my company blog). Think she'll praise all the security measures and keep trying till her payment goes through? Unlikely. As I'd highlighted in The Death Of Cash Is At Least 190 Years Away, she's more likely to pay with cash. So, there's a clear trade-off between security and convenience and, as the most interested party to the transaction, the merchant should be free to decide how to strike the trade-off.

Most ecommerce websites in the USA lack security by ROW standards in that they don't use 2FA and some of them don't even ask for CVV #s. Have they lost business? No, sir, USA remains the largest ecommerce market in the world. 

Visit worldpaymentsreport

Trending Stories

Featured Job
All Jobs »
London, UK

Senior Sales, Collateral Management Solutions (London, covering EMEA)

Competitive base + bonus + benefit package

22 Jul