PROLOGUE WALTER V. VOLKER CHIEF EXECUTIVE OFFICER

Transcription

1

2 PROLOGUE The one thing we can be certain of in the payments domain is that no sooner do we set our sights on a set of industry initiatives; there are pressures from various sources to shift attention to other priorities. Payments remain an exciting and ever-changing domain. To keep abreast of what is growing in this dynamic environment PASA utilises the National Payments Plan (NPP) to communicate the industry s areas of focus and provides snap-shots of progress at realistic intervals. It is our pleasure to release this latest update of the NPP. This version deals more specifically with the top initiatives that the industry has been giving attention to and will continue to give priority to in the next 6-18 months. There are no surprises as projects such as Authenticated Collections, Card Interchange, PCI DSS, 3D Secure and Debit Order Abuse have consumed attention and some will demand added focus as we progress into As technology enables new form factors and new means of making payments, it increases the responsibility to ensure our payment systems are secure. Many of the projects thus align with themes such as Risk & Security, Interoperability & Standards, and Management of Risk. Aside from many of the projects being important, a number of them are equally complex. They require the industry s best minds to ensure successful and responsible execution. My thanks firstly and foremostly to all our industry payment experts who make the projects happen. Without them, change is not possible. Secondly, congratulations to all who were involved in the update of this second release. Our commitment is to provide the payments community with an updated version of the NPP twice a year going forward. We trust these updates to the NPP give insight into what the interbank payments community is busy with and serves as a lead indicator in terms of what our future NPS may hold in store. WALTER V. VOLKER CHIEF EXECUTIVE OFFICER 1

3 CONTENTS PROLOGUE...1 INTRODUCTION...3 NPP THEMES...4 PROJECT-THEME MATRIX...5 SECTION 1 OVERVIEW OF HIGH PRIORITY PROJECTS...6 SECTION 2 - THE TOP SIX...7 AUTHENTICATED COLLECTIONS...7 MODERNISING ELECTRONIC PAYMENT SYSTEMS...9 CARD INTERCHANGE...10 PCI DSS FOR SYSTEM OPERATORS AND LEVEL 1 MERCHANTS D SECURE...12 DEBIT ORDER ABUSE...13 SECTION 3 OVERVIEW OF OTHER HIGH PRIORITY PROJECTS...14 ANNEXURE A FEEDBACK ON 2013 NPP

4 INTRODUCTION The payments landscape is changing rapidly. The NPP is thus a living document and is therefore updated on a continual basis. Managing interbank change through projects is a core activity for the industry. To strengthen project competence PASA has given focused attention to the establishment of a project office during 2013 and This has allowed the organisation to have an improved and more structured overview of industry initiatives and has assisted with an improved process of establishing, managing and prioritising such initiatives. This newly established project office methodology and improved reporting mechanism was used to re-evaluate the 2012 list of NPP initiatives and priorities in line with subsequent developments and mandates from the Reserve Bank and has resulted in a list of High Priority PASA Projects, as detailed in this report. The diagram included summarises the NPP process. The NPP is the umbrella revolving plan encompassing PASA s top initiatives. It provides line of sight of the priorities, related milestones and progress thereof. The NPP sets out the industry-level initiatives that aim to improve our NPS - an NPS that will be more efficient, inclusive, safe, certain and amongst the pedigree of payment systems in the world! 3

5 NPP THEMES The NPP Strategic Themes align with the Vision 2015 themes and guides the thinking in terms of what projects need to be addressed in order to promote SARB s Vision and meet PASA s broad objectives. 4

6 PROJECT-THEME MATRIX Linking the PASA projects back to the relevant NPP themes, this report is structured as follows. 5

7 SECTION 1 OVERVIEW OF HIGH PRIORITY PROJECTS The matrix below maps the comprehensive list of high priority items by NPP Theme and Project Stage. 6 Figure 1 - Project theme-stage matrix

8

9 WHAT ARE WE DOING? The industry has been engaged from August As at the end of October 2014, the project is at the end of the Design Stage from an interbank perspective. Development of the solutions would be the next important step. The industry has compiled a detailed requirements and technical specification that captures the actual interbank process flows. The industry is in the process of conducting an impact analysis which will inform development and testing cycles. Development will be required across the value chain, from users (creditors and collectors) to the paying banks. In the long run, secure debits will enhance trustworthiness and integrity of the payment system. It is anticipated that authentication options available to users and customers will include electronic (non-card) and card based options. Whereas in first world countries the trend is towards electronic authentication of debits through presentment on the internet (e.g. SEPA Mybank emandate Scheme), the South African National Payment System has to cater for a variety of options, especially for markets that do not have the privilege of internet access. As many of the solutions would have to leverage bank channels (potentially mobile, ATM, internet etc.), much work has still to be completed. Within the next 6 to 12 months, the variety of authentication solutions will become clearer as stakeholders put their minds together to shifting early debits into the secure debit realm. South Africa will most likely once again be the pioneers of world first payment solutions. SO. WHAT S NEXT? The next steps are to: Conduct an industry wide impact analysis (target November 2014) Address legal artefacts such as a new Early Debit Order Directive and the Clearing Rules and determine which Payments Clearing House these transactions would be processed through (mid-february 2015) Develop the actual solutions (To be finalised) Compile testing plans and packs (To be finalised) Develop communication and migration strategies (end February 2015) From implementation of Authenticated Collections, the industry will be given 2 years to migrate unauthenticated transactions. Thereafter only Authenticated Collections will be processed early. 8

10 MODERNISING ELECTRONIC PAYMENT SYSTEMS WHY THE REVAMP? The project has been referred to as ISO in the past. The industry has since realised that ISO is merely the standard and methodology. It is an enabler of business needs/requirements. ISO does provide the main benefit of being an international standard that provides richness of data and resultant flexibility. Moving to a new standard can be exciting and daunting. It s exciting as the opportunity to innovate and present new offerings comes to the fore. It s daunting as existing well embedded legacy systems need to be shifted from. The business case for making substantial changes is often questioned. For this reason the PASA community has become clear that it is business needs that should drive the project. Remaining with the current message structures (even though they have served the industry well for more than 30 years) is not an option. To maximise returns, business needs are being reviewed for each of the debit and credit electronic payment systems (more specifically EFT Debits (Debit Orders) and EFT Credits). The project has thus re-structured around two main projects namely modernising debits and modernising credits. For debits some considerations will be to potentially include additional requirements such as tracking of transactions, enhanced referencing, settling only for successful transactions and mandate management. For credits, additional features may include payment by using proxies (e.g. payment by only knowing the recipient s mobile number) and common message structures for real time clearing and EFT credits. WHAT ARE WE DOING? Over the last year, the project has finalised and made clear the strategic imperative for modernising electronic payments. The modernising effort creates the platform for future innovation, allowing participants to respond to regulatory and market needs. A major milestone was the production of a generic template for debits and credits. This template contains the standard message structures, flows and layouts. THE ROAD AHEAD The next targeted milestones include: Firming the business needs per use case for debits (1Q 2015) Firming the business needs per user case for credits (1Q 2015) Prioritising market needs (early 2Q 2015) Drafting technical specifications (2Q 2015) Establishing an implementation framework and roadmap (3Q 2015) Determining sunset dates for legacy systems (3Q 2015) In early 2014, the International Council of Payment Association Chief Executives (ICPACE), of which South Africa forms part, commissioned research into the best practices for implementing ISO 20022, particularly for payment systems. Click here for the research report. 9

11 CARD INTERCHANGE WHY CHANGE INTERCHANGE? In response to one of the outcomes from the Banking Enquiry to adopt an objective and transparent process for interchange determination, the SARB National Payment System Department (NPSD) undertook the first ever independent review of interchange in South Africa. During 2011 the NPSD initiated the Interchange Determination project with the intention to review interchange rates applied in all relevant payment streams. The ATM payment stream was selected as the first phase for the project. The revised ATM Interchange rates were announced during December 2013 and implemented 3 months later during March Interchange rates for Card transactions followed and during March 2014 the new interchange rates for Card transactions were announced with an expected implementation date of 1 January Implementation of the new Card Interchange rates, from the original 3 rates to now 12, was set to be one of the biggest interbank Card projects undertaken in years. The changes required were not only the system and business process changes relating to interchange but banks would also need to look at customer pricing and offerings and Merchant Agreements as an outflow of this project. NO SMALL CHANGE The Card Interchange project was registered during March 2014 and a core project team, consisting of Card Executives from PASA member banks, was established. The project received a huge amount of focus with various project workgroups and teams working on different aspects of the project. Some of the high severity risks raised were the dependency of key supplier development, the impact of implementing the new rates during the annual system freeze period and the impact on Fuel Retailers. An impact analysis was formulated and presented to the NPSD during September Agreement was reached that fuel transactions for petrol and garage cards would be out of scope and that the initial implementation date of 1 January 2015 would be extended to March MAKING THE CHANGE To facilitate the calculation of the 12 new interchange rates, testing will take place over 4 months, from November 2014 to March 2015, with final implementation on 16 March

12 PCI DSS FOR SYSTEM OPERATORS AND LEVEL 1 MERCHANTS SECURING PAYMENT CARD DATA The increased threat of data breaches resulted in a decision by PASA to review the protection of payment card data in the National Payment System. The decision to ensure implementation of PCI DSS was made by the Card Strategy Forum and endorsed by PASA Council and the National Payment Systems Department (NPSD) of the SARB. It was clear that the implementation of PCI DSS was a mammoth task and that the initiative needed to be broken up in smaller pieces. The approach to start with those entities in the value chain where the biggest risk of compromise lay was agreed. System Operators and PROGRESS MADE Level 1 Merchants in particular, form an integral part of the value chain for card processing in the NPS. The majority of card transactions are switched through these entities, which makes them high risk participants when it comes to the safety of card information. It was thus logical to start with these entities. PCI Security Standards are technical and operational requirements set by the PCI Security Standards Council (PCI SSC) to protect cardholder data. The PCI DSS applies to all entities that store, process, and/or transmit cardholder data The implementation of PCI DSS for System Operators, specifically, has been a huge achievement for our industry. From 43 Card System Operators only 4 have not certified yet. The progress made from Level 1 Merchants has been significantly slower and only Level 1 Merchant has been certified thus far. Implementation progress is however tracked and Acquiring Banks are working with these merchants to implement PCI DSS within the businesses. CONTINUED FOCUS All System Operators who receive PCI DSS certification are required to re-certify on an annual basis. System Operators will therefore be required to confirm re-certification annually as part of the process to receive System Operator authorisation from PASA, as stipulated in the NPSD Directive for System Operators. Merchants are categorised into various levels, depending on the amount of card transactions processed annually. Merchant levels are set by the Card Schemes and determine which validation requirements should be met and reported. For Visa and MasterCard, Level 1 Merchants are typicall merchants that process more than 6 million transactions annually. 11

13 3D SECURE ADDING SECURITY FOR ONLINE PAYMENTS The migration to more secure Chip and PIN technology in the card present environment has resulted in fraud rapidly shifting to the online e-commerce domain. As an important first step to addressing the rising Card not Present (CNP) fraud, the decision to mandate 3D Secure for all e-commerce merchants was made during February D Secure is an authentication service that uniquely enables the cardholder to use their card when shopping online. This diagram illustrates the high level process. The implementation deadline was set for February 2014 and the journey to a safer online payments environment was given focussed attention by the industry. WORKING TOGETHER The decision to implement 3D Secure for all e-commerce merchants resulted in extensive stakeholder engagement. The engagements between PASA, banks, e-commerce merchants and payment gateways led to improved understanding of the rationale for the decision and simultaneously led to collective understanding of and solving for a number of implementation hurdles. MAKING PROGRESS Click here for 3D Secure FAQs, supporting documentation for merchants or PASA press releases 31.1 million South African cardholders are currently registered to use 3D Secure, meaning that 98% of all cardholders are now able to perform secure e-commerce transactions with their cards, if the merchant they use is 3D Secure. 97% of all South Africa e-commerce merchants have implemented 3D Secure, with the remaining merchants well on their way to embracing the improved protection and security 3D Secure offers. 12

14 DEBIT ORDER ABUSE ABUSING THE SYSTEM The EFT Debits (or debit order ) payment system is one of the most efficient and well-functioning systems, resulting in over 31 million transactions per month, valued at over R72 billion on average per month. However, there are from time to time both beneficiary parties and consumers that abuse this system in some way. Some consumers will abuse their right to dispute any transaction merely for the sake of cash flow management, or to avoid repayment obligations. Some beneficiaries or users also abuse the system by submitting debit orders without a proper mandate, with no mandate, or with expired mandates. The level of inefficiency measured by disputes is currently at 0,5% and unpaid due to lack of funds at around 10%. For NAEDO the scoreboard looks even worse up to 6% of transactions are disputed, while up to 30% are unpaid. COUNTER MEASURES TO DATE To protect account holders against abuse the following measures have been implemented by PASA: The process by which Consumers may dispute any debit order appearing on their account with their banks has been considerably stream lined and made easy. Some banks have developed an Authenticated Early Debit Order (AEDO) system by which account holders can authenticate a repayment schedule by means of a Card & PIN. Unfortunately the take-up of this service is much lower than for normal (unauthenticated) debit orders and early debit orders. The EFT Debits (or debit order ) payment system is valued at over R72 billion on average per month. A process of forcing beneficiaries/users to register a unique abbreviated short name (ASN) was started during August Based on this ASN the ratios of disputes are monitored, and any company found to be in breach may be subjected to an audit. A Debit Order Abuse (DOA) Database has been developed and is maintained by PASA for any company that is put under review. If it is found that the company has submitted debit orders without a mandate, they will be blocked from use of the system. Over one hundred such companies are already on the list. Although the Debit Order project was completed and signed off during quarter 1 of 2014, the abuse of debit orders continues to receive attention. PASA is: Finalising a process of penalties for any debit order found to be without a mandate after it has been disputed by a customer and Implementing an extensive Authenticated Collections project where the aim is for all early debit orders to be subjected to explicit electronic authentication by the account holder prior to releasing the payment instructions. 13

15

16

17

18

19