SecuRe Pay recommendations for the security of mobile payments

Transcription

1 ECB-PUBLIC FINAL SecuRe Pay recommendations for the security of mobile payments Stephanie Czák Senior Market Infrastructure Expert European Central Bank ETSI/EC Collaborative Ecosystem for M-Payments Workshop Nice, 02 July 2014

2 ECB objectives for payment instruments oversight Payment instruments oversight Ensuring efficiency Maintaining public confidence European Central Bank 2

3 SecuRe Pay European Forum on the Security of Retail Payments The Forum a voluntary platform for cooperation between central bank overseers and supervisors Observers: European Commission, Europol Scope electronic retail payment services, payment instruments and payment service providers Mandate Facilitate common understanding among authorities Make recommendations ECB-RESTRICTED DRAFT 3

4 Recommendations for the security of mobile payments Scope contactless payments (e.g. using NFC technology), payments using a mobile payment application ( app ) previously downloaded onto the customer s mobile device, and payments using the MNO s channels (e.g. SMS, USSD, voice telephony) without a specific app previously downloaded onto the customer s mobile device. European Central Bank 4

5 Recommendations for the security of mobile payments Addressees Payment Services Providers Governance authorities of payment instrument schemes developing and offering mobile payment services Both are referred to as mobile payment solution providers Excluded from the scope are: payments where the customer only uses a web browser or an application that is strictly acting as such technologies transforming mobile devices into physical card payment acceptance devices (e.g. a POS terminal). sticker solutions that do not interact with the mobile device. payment transactions outside the scope of the PSD European Central Bank 5

6 High-level principles of the SecuRe Pay report MPSPs should 1/3 identify, assess and mitigate the risks of mobile payment services as well as those resulting from reliance on third parties (e.g. MNOs, TSMs, manufacturers) and underlying technology. consider the mobile device as inherently vulnerable to security issues properly identify payers and payees and provide them with adequate information on requirements for performing/accepting secure mobile payment transactions as well as on the risks. protect the initiation of mobile payments, as well as access to sensitive payment data, by strong customer authentication. protect sensitive payment data wherever it is transmitted, processed or stored. * sensitive payment data is defined as data which could be used to carry out fraud. European Central Bank 6

7 High-level principles of the SecuRe Pay report MPSPs should 1/3 ensure that enrolment for and the initial provision of the customer s authentication tools and/or the delivery of software for payments and managing sensitive payment data in a secure manner; regularly check the software against tampering. limit the number of log-in or authentication attempts, implement time-out controls and set time limits for the validity of authentication. implement secure processes for authorising transactions, as well as robust processes for monitoring transactions and systems in order to identify abnormal customer payment patterns and prevent fraud. European Central Bank 7

8 High-level principles of the SecuRe Pay report MPSPs should 1/3 Be able to deactivate the payment functionality remotely; allow customers to deactivate the functionality on their device Engage in enhancing customer understanding and provide information on security issues related to the use of mobile payment services. set limits for mobile payment services and could provide their customers with options for further risk mitigation within these limits. They may also provide alert and customer profile management services. notify customers of the payment initiation and provide customers with timely information necessary to check that a payment transaction has been correctly initiated and/or executed. European Central Bank 8

9 Outlook Review based on the public consultation Clarifications on the scope Refinement per payment instrument and initiation method Clarifications on wallets Etc. SecuRe Pay support of the EBA in the implementation of the mandates coming from the Payment Services Directive 2 European Central Bank 9

10 Questions? 10

11 ECB-RESTRICTED DRAFT European Forum on the Security of Retail Payments Overview: relevant publications Security of internet payments Final Recommendations (01/2013) Assessment Guide (01/2014) Payment account access services Final Recommendations as input for upcoming EBA Guideline (03/2014) ECB legal opinion on the review of the payment services directive (01/2014) Security of mobile payments Public consultation on draft Recommendations (11/2013) See: 11

12 How to verify the identity of a customer in a remote situation? Strong customer authentication A procedure based on the use of two or more of the following elements categorised as knowledge, ownership and inherence: I. something only the user knows, e.g. static password, code, PIN; II. III. something only the user possesses, e.g. token, smart card, mobile phone; something the user is, e.g. biometric characteristic, such as a fingerprint. In addition, the elements selected must be: mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data. European Central Bank 12

13 Glossary EBA European Banking Authority MNO Mobile network operator MPSP mobile payment solution providers POS point of sale PSD2 proposed EU Payment Services Directive 2 SecuRe Pay European Forum on the Security of Retail Payments TSM trusted service manager UICC Universal Integrated Circuit Card European Central Bank 13