Wednesday, 7 January 2015

Do The EBA Security Guidelines Ensure Card Scheme Control Over Retail Transactions?

The European Banking Authority recently issued payment security guidelines, as part of its security remit under PSD2. The guidelines take effect in August 2015 and will  require subtantial work on the part of payment service providers and merchants. They will be followed by 'stronger’ guidelines under PSD2 that will take effect in 2017/18. As anticipated, the guidelines could well present a significant obstacle to the evolution of payments services and competition from new entrants. At the same time, even if they reflect best practice today, the guidelines do not really overcome inherently unsecure features of legacy payment methods - like cards.

To be fair, the authorities have a difficult balancing act here. They have a responsibility for ensuring that PSPs implement appropriate security measures - and should at least point to best practice in the area - yet the authorities cannot afford to be so prescriptive as to delay implementation of those measures and/or prevent PSPs keeping pace with wider technological developments, the development of new payment services and the efforts of hackers. Unfortunately, the EBA appears to have struck a balance in favour of banks and card schemes, rather consumers, merchants and alternative payment service providers, as discussed below.

The guidelines cite card fraud as the main driver of this initiative, rather than fraud in relation to other types of payment service that do not involve card payments. Yet payment cards and the related IT systems have not really evolved fundamentally since they were introduced in the 1960s, which means that 'legacy' systems are effectively dictating the approach to payment security. True, there are many payment methods that are exempt from the guidelines. But the prevalence of card payments means that PSPs and merchants are being forced to divert resources to shoring up security on that front, rather than investing in more advanced payment methods.

At the heart of the guidelines is the concept of 'strong customer authentication', which is quite prescriptively defined. Yet this form of authentication would seem likely to evolve, and it is conceivable that customer authentication in the payment step of a transaction process might not remain relevant over time, particularly where the payment is being made in the course of a wider customer activity within a secure environment.

Many of the guidelines also go beyond the realms of payment security. While these may reflect obligations under other regulations, such as Money Laundering Regulations, Payment Services Regulations and the Data Protection Act, they are quite prescriptive and therefore will require additional legal and compliance time to review, implement and monitor changes to those other compliance procedures, as well as extra IT and operational resources.

The need for "customer education and awareness programmes" are also likely to require the involvement of marketing teams and their support staff. The concern here must be that customers who deal with multiple PSPs (as competition authorities should hope!) will begin to ignore the educational materials as just so much clutter or junk mail. The adverse customer experience may also drive consumers to prefer less secure payment options (e.g. cash).

Requirements for merchant co-operation, through enforcement of their contracts with PSPs, are also very concerning. For example, PSPs are asked to require merchants to "clearly separate payment-related processes from the online shop" and to enable customers to sign a dedicated payment contract with the PSP rather than having those terms included in a wider service contract. Yet merchants are not directly bound by Payment Services Regulations (except in very limited respects), so the EBA is arguably exceeding its authority in requiring merchant compliance with broader security requirements. In addition, we have already seen significant data security costs imposed by card schemes on merchants who must comply with the PCIDSS requirements. These resulted in most merchants choosing not to hold payments data at all. Indeed, many chose to deal through payment aggregators who accept and process payments on their behalf. However, PSD2 will require technology service providers to contract directly with PSPs under PSD2, rather than merchants if they wish to remain exempt from regulation, which must be likely to reduce the number of independent service providers. Such requirements seem to be aimed at large retailers and e-commerce marketplace operators who may otherwise legitimately offer a seamless consumer experience under current regulations. So it may be that the EBA guidelines will help drive control of e-commerce transactions to financial institutions – particularly banks and card schemes - rather than opening up competition for transaction processing from large merchants and others who have developed competing payment functionality.

As a result, the EBA's security guidelines deserve careful consideration by the competition authorities.


No comments:

Post a Comment