SecuRe Pay recommendations for the security of mobile payments

ECB-PUBLICFINAL

Stephanie Czák

Senior Market Infrastructure ExpertEuropean Central Bank

ETSI/EC – Collaborative Ecosystem for M-Payments Workshop

Nice, 02 July 2014

Rubric

Payment instruments oversight

Ensuring efficiency

ECB objectives for payment instruments oversight

www.ecb.europa.eu

Maintaining public confidence

European Central Bank 2

Rubric

The Forum

• a voluntary platform for cooperation between central bank overseers and supervisors

• Observers: European Commission, Europol

Scope

European Forum on the Security of Retail Payments

ECB-RESTRICTEDDRAFTSecuRe Pay

www.ecb.europa.eu

Scope

• electronic retail payment services, payment instruments and payment service providers

Mandate

• Facilitate common understanding among authorities

• Make recommendations

3

Rubric

Scope

• contactless payments (e.g. using NFC technology),

• payments using a mobile payment application (“app”) previously downloaded onto the customer’s mobile

Recommendations for the security of mobile payments

www.ecb.europa.eu

downloaded onto the customer’s mobile device, and

• payments using the MNO’s channels (e.g. SMS, USSD, voice telephony) without a specific “app” previously downloaded onto the customer’s mobile device.

European Central Bank 4

Rubric

Addressees

• Payment Services Providers

• Governance authorities of payment instrument schemes developing and offering mobile payment services

�Both are referred to as mobile payment solution providers

Recommendations for the security of mobile payments

www.ecb.europa.eu

Excluded from the scope are:

• payments where the customer only uses a web browser or an application that is strictly acting as such

• technologies transforming mobile devices into physical card payment acceptance devices (e.g. a POS terminal).

• “sticker solutions” that do not interact with the mobile device.

• payment transactions outside the scope of the PSD

European Central Bank 5

Rubric

MPSPs should 1/3

• identify, assess and mitigate the risks of mobile payment services as well as those resulting from reliance on third parties (e.g. MNOs, TSMs, manufacturers) and underlying technology.

• consider the mobile device as inherently vulnerable to security issues

• properly identify payers and payees and provide them with

High-level principles of the SecuRe Pay report

www.ecb.europa.eu

• properly identify payers and payees and provide them with adequate information on requirements for performing/accepting secure mobile payment transactions as well as on the risks.

• protect the initiation of mobile payments , as well as access to sensitive payment data , by strong customer authentication .

• protect sensitive payment data wherever it is transmitted, processed or stored.

European Central Bank 6

* sensitive payment data is defined as data which could be used to carry out fraud.

Rubric

MPSPs should 1/3

• ensure that enrolment for and the initial provision of the customer’s authentication tools and/or the delivery of software for payments and managing sensitive payment data in a secure manner; regularly check the software against tampering .

• limit the number of log-in or authentication attempts , implement time -out controls and set time limits for the validity of

High-level principles of the SecuRe Pay report

www.ecb.europa.eu

implement time -out controls and set time limits for the validity of authentication.

• implement secure processes for authorising transactions , as well as robust processes for monitoring transactions and systems in order to identify abnormal customer payment patterns and prevent fraud.

European Central Bank 7

Rubric

MPSPs should 1/3

• Be able to deactivate the payment functionality remotely; allow customers to deactivate the functionality on their device

• Engage in enhancing customer understanding and provide information on security issues related to the use of mobile payment services.

• set limits for mobile payment services and could provide their

High-level principles of the SecuRe Pay report

www.ecb.europa.eu

• set limits for mobile payment services and could provide their customers with options for further risk mitigation within these limits. They may also provide alert and customer profile management services.

• notify customers of the payment initiation and provide customers with timely information necessary to check that a payment transaction has been correctly initiated and/or executed .

European Central Bank 8

Rubric

• Review based on the public consultation• Clarifications on the scope

• Refinement per payment instrument and initiation method

• Clarifications on wallets

• Etc.

Outlook

www.ecb.europa.eu

• Etc.

• SecuRe Pay support of the EBA in the implementation of the mandates coming from the Payment Services Directive 2

European Central Bank 9

Rubric

Questions?

www.ecb.europa.eu10

Rubric

European Forum on the Security of Retail Payments

Overview: relevant publications

Security of internet payments• Final Recommendations (01/2013)• Assessment Guide (01/2014)

Payment account access services

ECB-RESTRICTEDDRAFT

www.ecb.europa.eu11

Payment account access services• Final Recommendations as input for upcoming EBA Guideline (03/2014)• ECB legal opinion on the review of the payment services directive (01/2014)

Security of mobile payments• Public consultation on draft Recommendations (11/2013)

See: http://www.ecb.europa.eu/pub/pub/paym/html/index.en.html

Rubric

Strong customer authentication

A procedure based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence:

I. something only the user knows, e.g. static password, code, PIN;

II. something only the user possesses, e.g. token, smart card, mobile phone;

III. something the user is, e.g. biometric characteristic, such as a fingerprint.

How to verify the identity of a customer in a remote situation?

www.ecb.europa.eu

fingerprint.

• In addition, the elements selected must be: mutually independent, i.e. the breach of one does not compromise the other(s).

• At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet.

• The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.

European Central Bank 12

Rubric

Glossary

• EBA European Banking Authority

• MNO Mobile network operator

• MPSP mobile payment solution providers

• POS point of sale

• PSD2 proposed EU Payment Services Directive 2

www.ecb.europa.eu

• PSD2 proposed EU Payment Services Directive 2

• SecuRe Pay European Forum on the Security of Retail Payments

• TSM trusted service manager

• UICC Universal Integrated Circuit Card

European Central Bank 13