SCA - PSD2 - EBA - Open Banking - Instant Payments - EMVCo ECC - PCI Crypto... SPA Newsletter Autumn 2019
Dear Colleagues,
With the Strong Customer Authentication (SCA) requirements of Payment Services Directive (PSD2) going live on 14th September 2019, the last few months have been hectic for many in the European financial sector. Not least because the apparent lack of clarity has created a significant level of confusion in terms of technology implementation.
This is perfectly illustrated by the discussions around ‘Open Banking’. Something that, as part of PSD2, promises to have a major impact on how merchants take online payment from consumers. With new Third-Party Payment Providers (TPPs) also entering the market, the ability to secure electronic payments and enhance consumer protection against fraud and liability is vital for managing risk going forward.
To address this complex challenge, the European Banking Association (EBA) has released ‘Opinions’ on which authentication elements are appropriate when implementing Strong Customer Authentication in a PSD2 context. While SPA is highly supportive of such moves designed to protect consumers from cyberattack and secure ecommerce transactions, it contends that not all authentication methods are equivalent from a security point of view.
Actively involved in standardization efforts to support PSD2, SPA believes an Open Standard API that offers a flexible choice of authentication methods will be essential to address the potential security and commercial challenges posed by the emergence of these new complex processing circuits – and that today’s biometric-enabled smart card technology offers a highly secure and convenient method of undertaking customer verification.
You can read more on this topic in our latest paper "Do TPP Services Represent a Worrying Factor for The Retail Payments Market?"
New ECB assessment of the smart card market
The European Central Bank (ECB) has recently completed its insightful overview of the SEPA smart card market. The analysis, which includes viewpoints from market players, identifies what’s hindering the sector from a harmonized standards perspective and examines new developments that further facilitate technical interoperability and innovation for a more integrated card payments market in SEPA.
SPA welcomes the publication of the ECB report outlining the standardization efforts of the European Cards Stakeholders Group (ECSG) – to which the SPA is an active contributor and a Board Member.
Alongside a frank assessment of the outstanding issues hampering the interconnectivity of domestic card schemes, and a detailed review of the European legal and regulatory framework (including upcoming legislation), the report underlines the importance of active participation in all public consultations by relevant stakeholders.
You can access the report here.
Instant Payments
SPA has launched an Instant Payment Card Taskforce to look at using a physical or digital EMV card at the POS to initiate an (instant) credit transfer using the EMV card as a means of identification and authentication and leveraging Open Banking.
Instant Payments are at the heart of the Eurosystem’s retail payment strategy. In the words of Benoît Coeuré, Member of the Executive Board of the European Central Bank, “A pan-European strategy that facilitates instant, secure and inexpensive payments – both online and in brick and mortar stores – has the potential to make up lost ground and meet the rising needs of consumers for efficient cross-border payments. Better affordability, quality and choice will also promote financial inclusion.”
A number of major European banks besides have started an initiative to work on a pan-European retail payment solution that could be based on the SEPA credit transfer instant (SCT Inst) scheme.
More at The Paypers
In this context, the initiation of an instant payment at the Point of Sale in a physical store is an important subject that needs to consider both the regulatory aspects and the user convenience. SPA’s Instant Payment Card task force will be proposing an approach to address this subject.
Mobile-initiated SEPA Instant Payments
SPA has been invited to participate in the European Payments Council (EPC) Multi Stakeholders Group for Mobile Instant Payments. Our work within the group will contribute to the successful development and establishment of a technical framework to support the interoperability of mobile instant payments.
EMVCo prepares to initiate new ECC-based security mechanisms
EMVCo has announced plans to specify the use of Elliptic Curve Cryptography (ECC) for offline card authentication purposes as an (optional) alternative to current RSA based cryptography. ECC utilizes shorter key sizes to deliver the same level of security.
This picks up on the work, conducted some time ago by SPA and EMVCo experts, to improve the functionality of the XDA (extended data) authentication protocol. While this was not finally retained, it was the first security mechanism based on ECC proposed by EMVCo.
According to the latest security announcement by EMVCo in June 2019, it is expected that the new ECC protocol – due to be drafted by Q4 this year – will be similar to the former XDA. EMVCo will apply the ECC to the contact interface. Due to the historical flaw in EMVCo, the individual schemes have to decide whether to update their contactless kernels as well.
SPA will continue to contribute and comment on the new ECC protocol for as long as EMVCo makes these draft documents available. SPA is also recommending that the schemes extend the XDA protocol to contactless cards. Ultimately, this update will have a major impact on the existing infrastructure and is therefore a controversial topic within the industry. SPA will continue to support the industry to maximize its security capabilities, as well as to smooth the required transition phase.
PCI Encryption Taskforce
SPA has also been accepted into the new PCI Encryption Taskforce. The Taskforce aims to unify the cryptographic and key management methods of different PCI specifications, and mandate best practices for strong cryptographic algorithms and protocols.
Events
In October, François Lecomte-Vagniez, SPA Advisory Facilitator, has participated in Forecourt Tech 14-15 October 2019, held in Alicante in Spain. Focused on the evolving retail forecourt, this technology-driven convention is focused on the evolution of the smart forecourt and the digital technologies that will optimize forecourt operations and enhance the customer experience in the next 3-5 years.
In November, Lorenzo Gaston, SPA Technical Director, has participated in Trustech 26-28 November 2019, held in Cannes in France. Focused on Payments, Identification and Security, the roundtable focused on major innovations which will have an immediate impact in 2020.
Watch the space!
SPA will soon announce events participation for 2020.
Meanwhile, we wish you all the best for the end of the year.
Yours sincerely
Andreas Strobel
SPA President