CARD TECHNOLOGY - BIOMETRICS – CRA - DORA – INSTANT PAYMENTS – CELEBRATING 20 YEARS - SPA NEWSLETTER NOVEMBER 2024
Dear Colleagues,
In this edition of our newsletter, we announce the creation of a new working group focusing on biometric payment cards and provide insights on the work that is currently on-going.
We also take a look at the industry’s key regulatory requirements and discuss our ongoing efforts to support compliance with both the Cyber Resilience Act (CRA) and Digital Operational Resilience Act (DORA).
Plus, as SPA continues to celebrate its 20th anniversary year, we briefly reflect on our progress and look forward to our birthday celebrations in Brussels on December 5, 2024.
Biometric cards
Ubiquitous adoption of biometric authentication on the smart card truly represents the next evolution. It provides a faster, more convenient, and ultimately more secure experience for both users and merchants. At SPA, we’re committed to playing our part in activating the ecosystem to bring this vision to life, at scale.
With this in mind, SPA is delighted to announce the establishment of an important new special interest focus.
As a first step—to ensure support for widescale adoption—SPA’s Biometric Card Working Group has launched a program to standardize card enrollment use cases, interoperability and security processes. We plan to share initial output from this important workstream with SPA members and the wider payments community before the end of the year.
SPA believes that cross-industry collaboration will be essential for enabling the biometric card payment ecosystem in a systematic and responsible manner. We look forward to working with all industry stakeholders.
Cyber Resilience Act (CRA)
As part of the legislative process, the EU Council adopted the Cyber Resilience Act (CRA) on October 10th, and its publication in the EU Journal is expected in the coming weeks to bring it into effect. SPA has applied for a seat on the EU’s Expert Group to support future compliance with the CRA and upcoming implementing acts. We look forward to contributing our extensive expertise in certifying secure elements and cards used in the payments industry, ensuring alignment with ISO and EPSG security standards and specifications in banking.
SPA will soon release a paper that sets out how existing rigorous security practices and regulatory compliance mechanisms, utilized by the payments industry, align with CRA requirements. We advocate for the CRA to provide a mechanism to confirm compliance with the rules using the existing evidence. Compliance through Module H of the CRA could also be a viable solution, together with a self-assessment that consolidates all relevant information and statements derived from the existing certification process.
Digital Operational Resilience Act (DORA)
The EU’s Digital Operational Resilience Act (DORA) is set to take effect in January 2025. While banks and financial institutions are working to prepare, awareness levels vary across the industry.
SPA welcomes European Commission’s efforts to make financial services more resilient against cyber threats yet SPA considers that Payment Card Personalization doesn’t fall under the remit of DORA. SPA will soon release a position paper explaining why.
Instant Payments
As always, SPA is actively involved in preparing the next version of the EPSG Volume of Requirements and fully committed to the success of its next release. We are particularly focused on driving consensus around interoperable solutions for instant payments to ensure compliance with EU security requirements. In support of this objective, we are engaged in developing a security model for instant payments that features a common contactless interface for both cards and instant payments.
SPA believes that broad adoption of instant payments for retail transactions at the Point of Sale will only be successful if it matches today’s NFC user experience and leverages existing infrastructures.
SPA 20th Anniversary
Since our inception in 2004, SPA has embarked on an important journey, working closely with regulators and industry bodies to shape the future of payments.
Two decades on and the smart payment card remains as relevant as ever with 3 billion smart payment cards shipped in 2023 by SPA members, a 10-fold growth since SPA first reported its members’ shipments.
And it’s been exciting to witness the evolution—from contactless cards utilizing NFC technologies, right through to new digital form factors, including tokenization and Secure Elements, that underpin today’s mobile payment applications and wallets.
Throughout the past 20 years, SPA has supported the development of standards for interoperability, quality, security,and certification —ensuring their evolution keeps pace with new technologies and payment trends. And we continue to do so today by extending our relationships, widening our scope, and engaging with more global payments and security regulatory schemes.
On December 5, 2024, SPA Members and the industry are gathering in Brussels to celebrate the Association’s 20th Anniversary.
During the event, we’ll be reviewing our key achievements over the past 20 years. We’re also delighted to be joined by Eric Ducoulombier—Head of Unit, Retail Financial Services at the European Commission—who will share his insights on the Commission’s top payment priorities for the next five years.
It promises to be a great event.
Best regards
Jacques Doucerain
President of the SPA