An increasing amount of fraud has led the European Union's banking authority to craft a new set of guidelines for members to secure online payments with strong authentication tools.
The European Banking Authority (EBA), an EU body that regulates and supervises the banking sector, issued the guidelines last week that push payment service providers (PSPs) to adopt two-factor authentication as a standard for verifying the identity and intentions on all customers in online transactions.
The EBA guidelines are based on the recommendations developed and published in January 2013 by the European Forum on the Security of Retail Payments (SecuRe Pay).
The EBA is using its status to build a legal baseline for implementation of security on Internet payments across all 28 EU members. The guidelines are for PSPs, the middlemen between websites and banks that facilitate Internet money transfers.
New security guidelines are slated for release in 2017-2018 as part of EU's Payment Services Directive (PSD), a set of security guidelines covering risk assessment, governance, monitoring/reporting, and stronger authentication among other directives.
But the EBA thinks it is unwise to wait for those guidelines, which do provide more stringent rules, and is aiming at August 1, 2015 for PSPs to have implementations of its revised plans. The August date is considered a first step with he PSD slated as the next move.
The EBA cited fraud statistics on card Internet payments that showed €794 million in losses in 2012 in card-not-present fraud, an increase of 21 percent over the previous year.
There was some discussion among members as to how and when the implementation deadlines should be set given existing work on the PSD. But in the end, the EBA decided to publish, concluding in its 41-page guidelines document that "a lack of security is continuing to undermine the confidence of market participants in payment systems and therefore that a timely and consistent regulatory response is required."
In its guidelines, the EBA did clarify the definition of "authentication" based on feedback from members, saying strong customer authentication is based on the use of two or more elements, including something you know, something a user possesses (token, etc.), or something the user is (biometric, etc.)
All authentication forms must be mutually independent so one cannot compromise the other. It also called for authenticators that were not reusable, non-replicable, and not capable of being stolen off the Internet. In addition, the strong authentication had to protect confidentiality of the authentication data and be tamper proof.