Upload
lythuan
View
237
Download
1
Embed Size (px)
Citation preview
SecuRe Pay recommendations for the security of mobile payments
ECB-PUBLICFINAL
Stephanie Czák
Senior Market Infrastructure ExpertEuropean Central Bank
ETSI/EC – Collaborative Ecosystem for M-Payments Workshop
Nice, 02 July 2014
Rubric
Payment instruments oversight
Ensuring efficiency
ECB objectives for payment instruments oversight
www.ecb.europa.eu
Maintaining public confidence
European Central Bank 2
Rubric
The Forum
• a voluntary platform for cooperation between central bank overseers and supervisors
• Observers: European Commission, Europol
Scope
European Forum on the Security of Retail Payments
ECB-RESTRICTEDDRAFTSecuRe Pay
www.ecb.europa.eu
Scope
• electronic retail payment services, payment instruments and payment service providers
Mandate
• Facilitate common understanding among authorities
• Make recommendations
3
Rubric
Scope
• contactless payments (e.g. using NFC technology),
• payments using a mobile payment application (“app”) previously downloaded onto the customer’s mobile
Recommendations for the security of mobile payments
www.ecb.europa.eu
downloaded onto the customer’s mobile device, and
• payments using the MNO’s channels (e.g. SMS, USSD, voice telephony) without a specific “app” previously downloaded onto the customer’s mobile device.
European Central Bank 4
Rubric
Addressees
• Payment Services Providers
• Governance authorities of payment instrument schemes developing and offering mobile payment services
�Both are referred to as mobile payment solution providers
Recommendations for the security of mobile payments
www.ecb.europa.eu
Excluded from the scope are:
• payments where the customer only uses a web browser or an application that is strictly acting as such
• technologies transforming mobile devices into physical card payment acceptance devices (e.g. a POS terminal).
• “sticker solutions” that do not interact with the mobile device.
• payment transactions outside the scope of the PSD
European Central Bank 5
Rubric
MPSPs should 1/3
• identify, assess and mitigate the risks of mobile payment services as well as those resulting from reliance on third parties (e.g. MNOs, TSMs, manufacturers) and underlying technology.
• consider the mobile device as inherently vulnerable to security issues
• properly identify payers and payees and provide them with
High-level principles of the SecuRe Pay report
www.ecb.europa.eu
• properly identify payers and payees and provide them with adequate information on requirements for performing/accepting secure mobile payment transactions as well as on the risks.
• protect the initiation of mobile payments , as well as access to sensitive payment data , by strong customer authentication .
• protect sensitive payment data wherever it is transmitted, processed or stored.
European Central Bank 6
* sensitive payment data is defined as data which could be used to carry out fraud.
Rubric
MPSPs should 1/3
• ensure that enrolment for and the initial provision of the customer’s authentication tools and/or the delivery of software for payments and managing sensitive payment data in a secure manner; regularly check the software against tampering .
• limit the number of log-in or authentication attempts , implement time -out controls and set time limits for the validity of
High-level principles of the SecuRe Pay report
www.ecb.europa.eu
implement time -out controls and set time limits for the validity of authentication.
• implement secure processes for authorising transactions , as well as robust processes for monitoring transactions and systems in order to identify abnormal customer payment patterns and prevent fraud.
European Central Bank 7
Rubric
MPSPs should 1/3
• Be able to deactivate the payment functionality remotely; allow customers to deactivate the functionality on their device
• Engage in enhancing customer understanding and provide information on security issues related to the use of mobile payment services.
• set limits for mobile payment services and could provide their
High-level principles of the SecuRe Pay report
www.ecb.europa.eu
• set limits for mobile payment services and could provide their customers with options for further risk mitigation within these limits. They may also provide alert and customer profile management services.
• notify customers of the payment initiation and provide customers with timely information necessary to check that a payment transaction has been correctly initiated and/or executed .
European Central Bank 8
Rubric
• Review based on the public consultation• Clarifications on the scope
• Refinement per payment instrument and initiation method
• Clarifications on wallets
• Etc.
Outlook
www.ecb.europa.eu
• Etc.
• SecuRe Pay support of the EBA in the implementation of the mandates coming from the Payment Services Directive 2
European Central Bank 9
Rubric
Questions?
www.ecb.europa.eu10
Rubric
European Forum on the Security of Retail Payments
Overview: relevant publications
Security of internet payments• Final Recommendations (01/2013)• Assessment Guide (01/2014)
Payment account access services
ECB-RESTRICTEDDRAFT
www.ecb.europa.eu11
Payment account access services• Final Recommendations as input for upcoming EBA Guideline (03/2014)• ECB legal opinion on the review of the payment services directive (01/2014)
Security of mobile payments• Public consultation on draft Recommendations (11/2013)
See: http://www.ecb.europa.eu/pub/pub/paym/html/index.en.html
Rubric
Strong customer authentication
A procedure based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence:
I. something only the user knows, e.g. static password, code, PIN;
II. something only the user possesses, e.g. token, smart card, mobile phone;
III. something the user is, e.g. biometric characteristic, such as a fingerprint.
How to verify the identity of a customer in a remote situation?
www.ecb.europa.eu
fingerprint.
• In addition, the elements selected must be: mutually independent, i.e. the breach of one does not compromise the other(s).
• At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet.
• The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.
European Central Bank 12
Rubric
Glossary
• EBA European Banking Authority
• MNO Mobile network operator
• MPSP mobile payment solution providers
• POS point of sale
• PSD2 proposed EU Payment Services Directive 2
www.ecb.europa.eu
• PSD2 proposed EU Payment Services Directive 2
• SecuRe Pay European Forum on the Security of Retail Payments
• TSM trusted service manager
• UICC Universal Integrated Circuit Card
European Central Bank 13