get('text_top_button', JText::_('DEFAULT_GOTO_TOP_TEXT'))*/?>
get('text_bottom_button', JText::_('DEFAULT_GOTO_BOTTOM'))*/?>

Securing Payments - Cyber & Operational Resilience - CRA - DORA - Elliptic Curves - Sustainable Payment Cards - Financial Inclusion - Smart Payment Association Newsletter - June 2023


Dear Colleagues,


As I take up my position as President of SPA, I am delighted to share our ongoing activities in the payment sector and highlight some of our most recent collaborations with industry groups and associations.


Securing payment

We’re writing at a time where the financial industry is taking steps to better protect ICT systems against cyberattack threats. While this is nothing new, the growing sophistication of criminal groups as well as the reliance of ICT systems is naturally increasing regulatory scrutiny on the preparedness of organizations and their wider operational continuity strategies.


Two such regulations are:


- CRA (Cyber Resilience Act):


As the discussions are happening between parliament and commission, the SPA is calling for a common position of the payments industry with regards the recognition of the existing practices for the development, manufacturing, and certification of card payment system devices.


SPA is fully supportive of all measures to boost cyber resiliency. That’s the reason why SPA considers that the EU should seize the opportunity represented by the existence of global security frameworks developed with success by the payments industry. These common security and certification practices are largely aligned with the list of requirements set out in the CRA. SPA strongly supports their recognition by the EU authorities so that conforming payment products should be authorized to use the CE marketing/labelling according to the CRA provisions.


This recognition would be highly beneficial for the EU Vendors. In particular it will avoid costly redundant certifications with no benefits in terms of cyber-protection. Such recognition would contribute to a reduced time to market for new payment products and solutions produced by the EU IT security industry in a highly competitive environment.


- DORA (Digital Operational Resilience Act):


This recent EU regulation is intended to ensure the continuity of digital financial services in a context where payment service providers increasingly outsource the processing of financial data to third party providers. The DORA provisions assume that an insufficient level of operational resilience of outsourced IT systems constitutes a threat for the availability of essential financial services.


Payment systems are, of course, a critical element of the financial system and there’s a business trend to outsource to Cloud Service Providers the storage and processing of payment data and applications. SPA has taken the lead to start the discussion in the European Payments Stakeholders Group (EPSG) on the potential impact of the DORA provisions in the future release of the EPSG Volume Book of Requirements.


Building a sustainable future


Alongside security, sustainability is also high on the agenda of organizations across the payment ecosystem. In our previous newsletter we highlighted the publication of our paper on the development of eco-friendly cards.


This time, I would like to signpost readers to a new article exploring the issues of mag-stripe removal from payment cards. While the planned removal of the mag-stripe may not be solely driven by environmental concerns, it does present new opportunities for carbon savings.


These include eliminating the use of ferro-magnetic materials and the associated application processes, minimizing production wastage and offering a wider choice of eco-friendly materials for card bodies that will simplify end-of-life recycling.


Of course, there are other key considerations for mag-stripe removal – from retaining legacy functionality and ensuring a smooth transition for merchants through to making sure Schemes and Issuers communicate effectively to consumer and business audiences.


Supporting financial inclusion

In April, at the GSMA’s Mobile Money Leadership Group Meeting, SPA was invited to join a session exploring how to balance regulatory compliance with financial inclusion.


Focusing on the demands for KYC procedures and lower wallet limits to prevent fraud and money laundering, the session asked whether this could have a negative impact on consumers and whether it was possible to achieve compliance and support higher wallet limits.


SPA will publish a paper on this topic after the summer.


ECSG expands its scope

March saw the European Cards Stakeholders Group (ECSG) expand its scope of activities to cover digital or non-card retail payments. The move – which also sees the group change its name – recognises the increasing relevance of these payments and the importance of having a single, multi-stakeholder organisation to harmonise acceptance of all payment instruments and ensure choice for users.
Renamed the European Payments Stakeholders Group (EPSG), the association will now welcome non-card retail payment organisations – including PSPs, payment schemes, processors and vendors to its ranks.

As a long-time member of the group, SPA welcomes this expanded scope as both payment cards and their digital equivalents will continue to play a central role in authentication and payment security for decades to come.

Elliptic curve security update

As part of the EPSG future-looking focus, SPA continues to lead efforts to integrate Elliptic Curve Cryptography (ECC) into the next Volume Book of Requirements. This migration from RSA to ECC will be critical in developing more robust card payment systems, preserving the speed of transaction of existing RSA-based payment cards and terminals, while safeguarding the offline use-case.

In the longer term, the development of large-scale universal quantum computers is likely to render virtually all of today's public-key cryptography insecure. However, for the next decade at least, ECC will boost protection for issuers, merchants and cardholders.

You can read more about this topic in our position paper ‘The Security of Card Payment Systems in a Post-Quantum World’ and in a European Payments Council article ‘A Pathway to Improve the Security of Card Payment Systems’ by SPA Technical Director, Lorenzo Gaston.


Looking ahead

Our next newsletter will be published in the Autumn. In the meantime, please do not hesitate to get in touch if you would like more details of our work or would like to get involved with SPA.


Yours sincerely,

Alain Martin
President SPA