Security of online payments Essential to eCommerce growth

1. Security of online payments EssentialtoeCommercegrowth Gijs Boudewijn Deputy Director 2014 European Consumer Summit, Brussels April 1st, 2014

2. 2014 European Consumer Summit, Brussels. April 1st, 2014

3. 2014 European Consumer Summit, Brussels. April 1st, 2014 ePayments are important foreCommerce ... • “This position paper states 10 recommendationsfor a strongerpayment landscape in Europe:*) • Recommendation 1: Move forward with ‘access to the account’ forthird party payment providers dulylicensedwithin the scope of a revisedPSD • Recommendation 2: Communicateadequatelytoeducatebothconsumersand merchants about the possibilitiesandconditionsforthis new class of paymentinitiationinstrument • Recommendation 3: We ask European authoritiestoprovide a structureforcontractualandtechnicalarrangementstoassurelegalclarityandtechnicalscalability of third party services • Recommendation 4: Merchants welcomesolutionsthat re-useexistingauthenticationmethodstoimprove security, protect us­ers’ privacy andstreamline user experience • (…)” • *) From: ‘10 Recommendationsfor a Stronger e-Payments Landscape in Europe’, http://www.ecommerce-europe.eu

4. 2014 European Consumer Summit, Brussels. April 1st, 2014 ePayments are alsoabout trust ... • 100% security does notexist • Dutch example: five simpleandstandardizedsafetyrules, drawn up jointlyby the payment service providers and the consumer’srepresentatives: • What do you need to do? • ❶ Keep your security codes secret. • ❷ Make sure your bank card is never used by anyone else. • ❸ Make sure that the devices you use for electronic banking are properly secured. • ❹ Monitor your bank account activity. • ❺ Report any incidents to the bank immediately and follow any instructions given to you by the bank. • When observed to a reasonable extent, consumers can be assured they will be reimbursed in case of fraud

5. 2014 European Consumer Summit, Brussels. April 1st, 2014 PSD2 – balancingcompetition, innovation, security andconsumerprotection? • Extends the scope toincludePaymentInitiation Services and Account Information Services • ProvidesforlicensingThird Party Payment service providers (TPP) providing these services, forwhichtheyneed access toconsumers’ payment accounts • Harmonisesandimprovesoperationaland security requirements – SecuRepayrecommendations • Explicitlyallows re-use of comsumer's personal securiycredentialsby the TPP ('impersonation') • Concerns on security, data protectionandliabilitiesbetweenTPPs, Account Servicing (AS) PSPsand account holders (consumers)

6. 2014 European Consumer Summit, Brussels. April 1st, 2014 TPP access to the account – basic model Like a ‘man in the middle’ itseems as ifconsumer is accessing the account, but it is in fact the TPP, unknownto the Account Servicing PSP ('impersonation') • Currenttechnicalmethods • Via a website • Via a browser plug-in • Via anapp TPP KPMG Advisory N.V., 2012

7. Re-using personal credentialsbythirdpartiescreatesrisks • A third party withcriminalintentcould: • Modify the amountand the recipient of the payment (which is the typicalfraud case today) • Gain access toother financial products of the consumerwhichcanbeaccessed via internet banking (such as savings accounts, bank statements, loans, securitiesportfolios, mortgagesandinsurances) • Take over the consumer’s account (e.g. changing the consumer’s contact details andthus the recipient of new credentials, cards, statements ….) But howcan the averageconsumerknowif a TPP is dulylicensed or a party withcriminalintent?? 2014 European Consumer Summit, Brussels. April 1st, 2014 7

8. 2014 European Consumer Summit, Brussels. April 1st, 2014 A feasible secure solution accordingto the European Central Bank • In itsrecent “Public note on security of payment account access services” the ECB recommendsto: • Set up European open standardsfor secure interfacing of TPPswith AS PSPsforauthenticating the TPP by the AS PSP • Set up Standards andcommunicationprotocolsfor secure information exchanges with the AS PSP • Require strong customer authenticationtoidentify the consumer). This is based on two or more of the followingelements: knowledge ( e.g. a code), possession (e.g. a token) andbeing (e.g. fingerprint).

9. 2014 European Consumer Summit, Brussels. April 1st, 2014 A feasible secure solution accordingto the European Central Bank • Strong customer authenticationcanberealisedeitherby • TPP redirects the payer in a secure mannertoits AS PSP (such as iDEAL), or • TPP issues ownpersonalised security features • TPPsshouldalso: • Protect the personalisedcredentialsthey issue themselves • Authenticatethemselves in anunequivocalmannerto the AS PSP • Refrainfrom storing data obtained apart from information necessarytoidentify the payment, and • Refrainfromusing data foranypurposesotherthanexplicitlypermitted

10. 2014 European Consumer Summit, Brussels. April 1st, 2014 So, where are we now? • The Commission’sPSD2 proposal of July 2013 does notsufficientlyaccomodatethe security concerns ……. • The ECB public notecameverylate in the legislativeprocess…….. • The European Parliamentmade the issue perhapsworsethrough a multitude of amendmends(Plenaryvote on ECON report in two weeks ...) • However: the Council workmaystillrectifysome of the issues, andthere'salways the trilogue…… The question is notifthird party access willbepossible, but howwe can make itwork in a secure wayto the benefit of EU businessesandconsumers; it’sallabout striking the right balancebetween security, innovation, competitionandconsumerprotection ……

11. 2014 European Consumer Summit, Brussels. April 1st, 2014 Questions? g.boudewijn@betaalvereniging.nl T. + 31 20 305 19 21 M. + 31 6 5144 0529 Gustav Mahlerplein 33-35 1082 MS Amsterdam The Netherlands www.betaalvereniging.nl