EU Cyber Resilience Act – Payment Card Collection & Recycling Online Survey – Post Quantum Card Security – Biometrics Payment Card – Java Card 3.1 Specification – Smart Payment Association’s Newsletter – January 2023

Dear Colleagues,

In this newsletter, the first of 2023, we take a look at the key themes and issues set to shape and define our work over the next 11 months. We also review some key milestones achieved as a direct result of activities undertaken by SPA and its members throughout 2022.

Balancing security and regulation in 2023

The European Union (EU) is, quite rightly, keen to elevate security by design best practices in relation to digital devices with the aim of better protecting consumers and businesses from cyber-attacks.

In December 2022, the European Commission released its initial proposal for a new EU Cyber-Resilience Act (CRA). This Act seeks to impose cybersecurity obligations on all products with digital elements that use a direct, or indirect, connection to a device or network.

While SPA and the wider payment sector fully endorse the EU’s ambitions with regard to safeguarding consumers and businesses in particular in the IoT domain, we believe it is also important to recognise that stringent global security frameworks and standards have long been in operation within the card and mobile payments sector.

These proven and robust standards guarantee the security, cyber-resilience, and interoperability of smart payment products in the field and feature comprehensive cyber-security by design and product life-cycle monitoring principles. In many cases, we believe these even exceed the requirements outlined in the CRA proposal.

In its initial response to the European Commission, SPA recommends that these pre-existing industry frameworks should be mapped and assessed against the outline CRA requirements. A move we believe would eliminate any unnecessary steps for payment card manufacturers, while simplifying and accelerating conformity with the CRA.

While welcoming the aspirations contained within the proposed CRA, SPA believes there is otherwise a risk of over regulation or unnecessary duplication that will prove operationally impractical. SPA is at EU’s disposal to highlight how existing industry standards would fit best into the CRA framework without causing double certifications.

Protecting payment cards in a post quantum world

With the increased need for cybersecurity in 2023 and the upcoming years, SPA has already provided some key insights and recommendations on how to secure payment cards as we progress towards a post-quantum world.

Last year, we released an important position paper setting out our perspective on the future of security for card payment systems. This introduced the concepts underpinning the evolution towards new approaches such as Post-Quantum Cryptography (PQC).

Based on this paper, and related discussions, SPA is delighted to confirm its recommendations are now being integrated into SEPA regulations. SPA will continue to play a comprehensive role in overseeing this activity.

Securing the future of payments

SPA is becoming recognised as a powerful voice and thought leader in relation to the pioneering of new payment security practices for today’s increasingly interconnected world.

As technological change continues to accelerate, SPA is working in collaboration with other industry bodies to deliver advice and recommendations on how to secure payments today – and into the future.

At the close of 2022, SPA was invited by The Paypers to provide an expert opinion on how biometric payment cards are transforming cardholder authentication. Meanwhile, January 2023 saw SPA’s technical insight provided to the Java Card Forum. It tackles on how Java Card’s new 3.1 specification will deliver the extended functionalities that will be key for the evolution of payment security, enabling a new generation of smart payment instruments and applications.

In pursuit of a more sustainable practices

With environmental responsibility now high on the agenda of card issuers, last year saw SPA published its first position paper on eco-innovative card materials and best practices for supply chain logistics.

In 2023, SPA will continue to pursue this pioneering sustainable workstream, with a view to helping the sector accelerate end-to-end sustainability across the entire payment card lifecycle.

With this in mind SPA, in collaboration with industry analyst Frost & Sullivan, has launched an online Payment Card Collection & Recycling survey to capture insights from card issuing professionals working in European banking institutions.

SPA needs your help:

If you are a sustainability or/and payment card issuing practitioners working in European Banking Institutions, your personal opinion as a practitioner matters to us!