The Portuguese Banking community welcomes the EBA initiative. Our choice is for option a) based on an understanding that option b) is not feasible, since it:
· does not provide a guarantee of a one-step approach, because the stronger PSD 2 requirements are at this time still under discussion and may change until the publication date. We therefore believe that there are no stable conditions for setting requirements for stronger security standards that will ultimately exist under PSD 2.
· would set stronger security requirements without an adequate timeframe for the stakeholders to implement the necessary changes. A lead time - well beyond 1st August 2015 – would be required to implement “strong transaction authentication” solutions or, more generally, any solution other than those already set out in the SecuRe Pay Recommendations.
However, both options a) and b) have several shortcomings, namely:
· legal enforceability is uncertain. According to Article 16 of Regulation 1093/2010 EBA shall in order to ensure common, uniform and consistent application of Union law issue Guidelines and recommendations. Article 1.2 of the same Regulation lists the EU legal texts (e.g. PSD) forming the scope within which EBA shall exercise its powers. EBA in its consultation paper refers to the current PSD as a legal basis while seeking to ‘ensure common, uniform and consistent application of Union law’. However, the consultation paper is about implementation of draft Guidelines on the security of internet payments - prior to the transposition of the revised Payments Services Directive (PSD2). An essential element for the draft EBA Guidelines is the reliance on the concept of strong customer authentication. It is important to note that this concept does not yet exist under the current PSD and will only be incorporated in ‘Union law’ once PSD2 (new Article 87 PSD2) enters into force. Based on current Union law PSPs are not yet (legally) required to apply ‘strong customer authentication’. As a result, the EBA Guidelines – as currently drafted - would appear unenforceable until PSD2 enters into force.
· The security guidelines should be enforced to all payment service providers, including payment initiation services providers (which will only be regulated under PSD 2).
· The 2 step approach of option a) creates a risk of implementations in the first step not being compliant with future guidelines of the second step, imposing unnecessary rework costs to payment service providers, and confusion/inconvenience to the consumer.
In conclusion, we suggest that the correct approach to this matter is for EBA to publish the complete set of security guidelines that apply to all stakeholders only after entry into force of PSD 2, following a consultation of the market and safeguarding an adequate timeframe for implementation (“option c)”).
In the last two decades many security solutions were implemented, only to have been rendered obsolete as technology evolves and be replaced by safer solutions. Stakeholders are permanently in search of solutions that master the subtle balance between security and user convenience. In the last five years, new threats have appeared, authentication solutions have evolved, and the preferred platform for internet payments has changed from PCs to mobile devices.
Since the first consultation on the internet payments security requirements we have been able to mature our opinion relative to this initiative and thus confirm initial concerns. This field of expertise is highly dynamic. As an example since the issuance of the recommendations, tokenization has been picked up as one of the prevalent security solutions in any future e-payments system (understandably, at the time of publication, the recommendations did not take tokenization into much consideration). The Portuguese bank community can vouch for the success of tokenized cards, with a track record of fraud free payments in 10 years. Another very promising area of evolution in digital security is risk based authentication, and innovation in this area can be seriously hindered by the current requirements.
Finally, the effectiveness of the requirements on card payments restricted to the European markets will not be effective in reducing fraud rates: they will only push fraud to regions that do not enforce the same security standards. Regardless of the level of authentication used by the cardholder when paying, the attackers will use the card numbers of European citizens at e-merchants that do not require strong authentication. This effect is clearly demonstrated by the EMV adoption in Europe, where fraud with European cards simply migrated to non-EMV markets. We therefore suggest a global effort through coordination with non-European authorities and central banks.