CA Viewpoint. Meeting the European Banking Authority Guidelines and EU Payment Security Directive for Secure Authentication

Similar documents
SecuRe Pay recommendations for the security of mobile payments

Visa s Future of Security Roadmap: Australia

Keep All of Your Business-Critical Jobs On Track. CA Workload Automation idash Helps You Reduce Missed SLAs and Lower Costs

Industry Briefing Strong authentication of Internet Payments in Europe - the new PSD2

The Future of Workload Automation in the Application Economy

The Future of Payment Security in Canada

Securing the Mobile, Cloud-connected Enterprise

WHO S GOT IT? WHO GETS IT?

APPLE PAY TERMS & CONDITIONS

PLAINSCAPITAL BANK APPLE PAY TERMS AND CONDITIONS - BUSINESS

Reducing E-Commerce Fraud Loss by 25% The Role of Machine Learning, Artificial Intelligence and Real-Time Behavioral Analytics in Fighting Fraud

An Enterprise Architect s Guide to API Integration for ESB and SOA

Unleash the Power of Mainframe Data in the Application Economy

CA Release Automation Continuous Delivery Edition and CA Agile Central

Solution Brief Efficient ecommerce Fraud Management for Acquirers

Why Authentication Matters

Building an API Monitoring Practice. for Modern Apps, Containers and Microservices

Building a Roadmap to Robust Identity and Access Management

The Uber Orchestrator from CA Technologies

Next-Generation Performance Testing with Service Virtualization and Application Performance Management

EMV: Facts at a Glance

CA Workload Automation Advanced Integration for Hadoop: Automate, Accelerate, Integrate

Aconite Smart Solutions

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

Migrate to a new workload automation solution quickly and easily with a best-practiceled migration methodology

When It Needs to Get Done at 2 a.m., That s when you can rely on CA Workload Automation

By agreeing to these Terms and Conditions, you represent the following:

Your project managers are the engine that drives success. When you give them the tools they need.

Solutions. Card Risk Management Leverage Our Industry-Leading Solutions and Services to Fight the Rising Cost of Fraud

An Introduction to Oracle Identity Management. An Oracle White Paper June 2008

Additional Terms & Conditions for Use of Apple Pay to Supplement Your Interactive Brokers Debit Mastercard Cardholder Agreement

Trending: How does PSD2 trigger innovation?

Safeguarding Online Transactions, Reducing Fraud and Improving the Consumer Experience

The Mainframe Reframed for the Application Economy. How to manage your mainframe for great customer experiences

MITIGATE THE RISK OF FRAUD AND COMPLIANCE COSTS with EMV mandates. An NCR white paper

The Modern PMO: Powerful. Configurable. Social. CA PPM Version 15.3

Power Digital Performance and Outstanding Customer Experiences With a New Model for APM

Mobile & Online Banking

WHITE PAPER MARCH Improve ROI of PeopleSoft Enterprise With Business Automation

EMV Adoption in the U.S.

Understanding the 2015 U.S. Fraud Liability Shifts

The Future of Retail Banking

Online Payment Services

Putting Card Fraud to the Fire. Diana Kern, AAP senior trainer

The Small Business Guide to Mastering EMV

Strategy Roadmap. CA s Mainframe 2.0 Strategy Roadmap

WHITE PAPER. Focus on value added services by network companies a paradigm shift. Rahul Kaushal, Ramakant Mittal

Agile Portfolio Management for a Fast- Paced World. Are you ready? Are you ready?

Card Payment acceptance at Common Use positions at airports

Stopping Fraud in Real Time. Report. A Must in the Age of Multi-channel Digital Commerce» Report

Automating the Application Release Process: Build vs. Buy

My new Apple device will have a payment feature. How do I set it up?

Fraud in an open, digital payments landscape

Accelerate Order-to-Cash on Any Device Fuel Revenue Through Your CRM

Covering Your Assets: Payment Landscape and Technology

EMV THE DEFINITIVE GUIDE FOR US MERCHANTS AND POS RESELLERS

SuccessFactors Employee Central Side-by-Side Deployment with SAP ERP. White Paper

SOLUTION BRIEF IDENTITY AND ACCESS GOVERNANCE. Simplify Identity Governance and Reduce Risk With the CA Identity Suite

Itaú BBA to safeguard business operations and financial transactions with CA Service Assurance solutions

Achieve Your Business and IT Goals with Help from CA Services

EMV, PCI, Tokenization, Encryption What You Should Know for Presented by: The Bryan Cave Payments Team

Crash Course: What are EMV and the EMV Liability Shift?

CA FAQS Production Control System for z/vse r5.0

Empowering teams for the 21 st Century. CA Agile Central

COMMISSION DELEGATED REGULATION (EU) No /.. of XXX

CA Project & Portfolio Management

Andreas Strobel SPA Board Member shaping the future of payment technology

Mastercard Europe Risk Leadership Conference Cannes, France October 8-11, 2018 DRAFT AGENDA

EMV and Educational Institutions:

Security Monitoring Service Description

PSD2 IMPLICATIONS OF THE REGULATION August 8, Regina Lau, Chief Strategy Officer, Ingenico epayments Zainab Mir, Counsel Payments, Netflix

Liverpool Hope University

EMV Chip Cards. Table of Contents GENERAL BACKGROUND GENERAL FAQ FREQUENTLY ASKED QUESTIONS GENERAL BACKGROUND...1 GENERAL FAQ MERCHANT FAQ...

When Your People Are Engaged, Your Projects Really Move

PARTNER SOLUTION BRIEF

Payment Card Industry Compliance. May 12, 2011

Apple Pay and Tokenization Background and Overview

PCI COMPLIANCE PCI COMPLIANCE RESPONSE BREACH VULNERABLE SECURITY TECHNOLOGY INTERNET ISSUES STRATEGY APPS INFRASTRUCTURE LOGS

Mobile and Contactless Payments Requirements and Interactions

INNOVATE. COLLABORATE. EDUCATE.

EMV and Apple Pay. The world of credit cards is on the move.

The Second Payment Services Directive: Scoping out the impacts of the Regulatory Technical Standards

Digital Disruption: Regulators, Customers, Consumers

Oracle Planning and Budgeting Cloud Service

Realex Payments Redirect/Remote PrestaShop Module for v 1.5+

SOLUTION BRIEF BUSINESS-DRIVEN, OMNI-CHANNEL FRAUD MANAGEMENT RSA FRAUD & RISK INTELLIGENCE

How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits?

ECSG (Vol Ref. 8.A01.00) SEPA CARDS STANDARDISATION (SCS) VOLUME. Payments and Cash Withdrawals with Cards in SEPA

ORACLE ADAPTIVE ACCESS MANAGER

CA Network Automation

Current Version: June 9, 2017 DIGITAL WALLET AGREEMENT. This Agreement is between you and Coast Capital Savings Credit Union ( CCS ).

Connecting Applications from Mobile to Mainframe in the Application Economy

Visa and MasterCard Drive Adoption of EMV Payment Technologies in the United States

THE PAYMENT SERVICES DIRECTIVE II (PSD II) Liberalisation of electronic payment transactions

Card payment processing for your business

SEPTEMBER 2018 The Agile Team s Playbook to Doing Agile

can I consolidate vendors, align performance with company objectives and build trusted relationships?

WELCOME THE CHANGING LOOK OF FRAUD CURRENT FRAUD TRENDS INCLUDE:

The Changing Landscape of Card Acceptance

Transcription:

EXECUTIVE BRIEF AUGUST 2015 CA Viewpoint Summary of European Banking Authority Guidelines and How CA Can Help Meeting the European Banking Authority Guidelines and EU Payment Security Directive for Secure Authentication The European Banking Authority (EBA) recently published Final Guidelines on the Security of Internet Payments 1 outlining the minimum Internet commerce security standards that card issuers must implement by 1 August 2015. These guidelines are based on the regulations set out in the EU Payment Security Directive (PSD) and will incorporate the forthcoming Payment Services Directive (PSD 2) when released to ensure consistent Internet payments service adherence across the 28 EU member states. The bottom line for card issuers is the requirement to adopt a multi-factor, defense-in-depth authentication approach to support Internet card use by 1 August 2015. The importance in combatting fraud losses is underscored by the increase of card-notpresent fraud in 2012 by 21.2 percent over 2011 2. In support of the fight against payment fraud, EBA core requirements are centered on strong customer authentication 3 and aim to increase consumer trust in Internet payment services. The EBA guidelines present issuers with best practices, and by following these guidelines issuers can protect customer data and ensure that the rightful user, not a fraudster, is initiating a payment. Guidelines 4, 5, 7, 8, 9, 10 and 13 bear particular scrutiny regarding implementation of a multi-factor authentication solution. These recommendations include: Implementing a cardholder authentication solution, such as 3D Secure (3DS), for Internet use Incorporating multiple layers of defense-in-depth security Using fraud detection and prevention technology to identify suspicious transactions Ensuring that a strong authentication solution is enabled for high-risk, card-notpresent cases. In reality, payment card issuers must balance the necessity for secure Internet payments and protection of cardholder data along with maintaining a smooth, user-friendly cardholder experience. CA Technologies offers comprehensive software solutions that allow issuers to meet and exceed some of the EBA guidelines and be ready for the potentially more stringent PSD 2 regulations solving for secure customer-friendly Internet payment experiences. See Appendix A for more detail.

2 EXECUTIVE BRIEF AUGUST 2015 ca.com How CA Technologies payment security products meet EBA requirements The 14 specific EBA guidelines are summarized as follows: 1. Implement and regularly review a formal security policy 2. Carry out and document thorough risk assessments 3. Ensure consistent and integrated monitoring, handling and follow-up of security incidents 4. Incorporate multiple layers of security defenses 5. Have processes in place that ensure all transactions are properly traced 6. Identify customers and confirm their willingness to make Internet payments 7. Protect Internet payments, as well as access to sensitive payment data using strong customer authentication3 8. Ensure that customer enrollment and authentication provisioning is carried out in a secure manner 9. Limit the number of login or authentication attempts and session length 10. Operate transaction monitoring tools to prevent, detect and block fraudulent payments and subject high-risk transactions to specific screening and evaluation before the transaction is completed 11. Protect sensitive payment data when stored, processed or transmitted 12. Provide assistance and guidance to customers and communicate the authenticity of messages received 13. Set limits for internet payment services and provide customers with options to further limit risk, including alerting and profile management services 14. Confirm the payment initiation and provide customers in good time with information to verify a payment is legitimate As a leading provider of Internet payment security solutions, CA Technologies is the ideal partner for issuers to smoothly meet the 1 August 2015 deadline. By implementing an easily customizable CA Technologies payment security cloud service, issuers can achieve a powerful card-not-present payments foundation, create a seamless customer experience and meet the requirements set forth in the EBA strong authentication guidelines. CA Transaction Manager, our 3DS service, is used by over 13,500 portfolios with over 150 million active cardholders worldwide. 4 More issuers are choosing CA Transaction Manager everyday because it enables a dynamic and personalized online shopping experience. And, because our payment security product team has been involved with developing 3DS technology since initial establishment of the secure protocol, CA Technologies can provide seamless 3DS compliance with Verified by VISA, MasterCard SecureCode, JCB J/Secure, American Express SafeKey and Discover/Diners ProtectBuySM cardholder authentication programs. CA Risk Analytics is a zero-touch authentication cloud service that uses advanced statistical predictive models and dynamic rules to assess the potential risk of each transaction and instantaneously deny, alert, allow or require additional authentication for each transaction appropriately. No explicit cardholder interruption occurs during the checkout process unless additional verification is triggered based on the scoring results. provides simple, intuitive and dynamic authentication that fully meets the EBA definition of strong customer authentication. Offered on-premise or as a cloud service, CA Strong Authentication provides an alert the cardholder for confirmation that it is a valid transaction. Using two-way notification, transactions identified as potentially fraudulent can be validated instantaneously by cardholders allowing them complete their transaction or identify it as fraudulent. This versatile authentication solution enables multiple authentication modes including a two-factor soft credential, one-time password (OTP) delivered via SMS or voice, Mobile OTP application, two-way notification and other multi-factor options.

3 EXECUTIVE BRIEF AUGUST 2015 ca.com What Does This Mean for Current CA Technologies Payment Security Customers? The increasing sophistication of fraudsters and the desire for an improved customer experience has already led a significant number of CA Technologies customers to choose our solutions. We are confident that very little effort will be required by current users of our ecommerce solutions to fully comply with the EBA definition of strong authentication. Customers can quickly enhance their products by working with us, but the following table outlines some initial considerations: If you are using: Then upgrade to: Rationale: CA Transaction Manager CA Transaction Manager and CA Transaction Manager and CA Risk Analytics CA Risk Analytics CA Transaction Manager customers who currently use static passwords alone for 3DS authentication should consider deployment of CA Strong Authentication to help meet the requirements that include a two-factor soft credential; OTP via SMS, voice, email; Mobile OTP generator and two-way notification and transaction verification. By using, you can address most policy requirements for strong customer authentication. However, we recommend adding CA Risk Analytics to improve the customer experience. This provides a frictionless checkout experience for genuine cardholders and only suspicious transactions will require additional authentication. CA Risk Analytics can also help you increase security and reduce fraud for ecommerce transactions. CA Risk Analytics can identify and block suspicious transactions. However, you will still need to address regulatory guidelines requiring strong customer authentication to verify the genuine cardholder. We are committed to work closely with CA customers and partners to fully deliver solutions that increase customer loyalty, grow revenue and ensure compliance with the higher security standards required under current and future regulations. What s Next? Stay ahead of the 1 August 2015 implementation deadline contact us today. We can advise you on what CA Technologies payment security products may suit your needs and work with you to implement the best secure authentication options as you prepare for the regulatory deadline. Learn more about CA Technologies payment security products at www.ca.com/ payment-security or send an email to paymentsecurity@ca.com to connect with a product expert. CA Technologies customers can contact their account representative for a detailed assessment on how our payment security solutions fulfill the EBA Guidelines on the Security of Internet Payments and EU Payment Security Directive (PSD) regulations.

4 EXECUTIVE BRIEF AUGUST 2015 ca.com Appendix A EBA Guideline Solution Application of CA Technologies Payment Security Solution Implement and regularly review a formal security policy Carry out and document thorough risk assessments Ensure consistent and integrated monitoring, handling and follow-up of security incidents Incorporate multiple layers of security defenses Have processes in place that ensure all transactions are properly traced Identify customers and confirm their willingness to make Internet payments Protect Internet payments and access to sensitive payment data using strong customer authentication 3 Ensure that customer enrollment and authentication provisioning is carried out in a secure manner Limit the number of login or authentication attempts and session length Operate transaction monitoring tools to prevent, detect and block fraudulent payments and subject high-risk transactions to specific screening and evaluation before the transaction is completed Protect sensitive payment data when stored, processed or transmitted Provide assistance and guidance to customers and communicate the authenticity of messages received Set limits for Internet payment services and provide customers with options to further limit risk including alerting and profile management services Confirm payment initiation and provide customers in good time with information to verify a payment is legitimate, security information and event management (SIEM) solution CA Transaction Manager, CA Risk Analytics, CA Transaction Manager, CA Risk Analytics CA Transaction Manager, CA Strong Authentication, CA Privileged Identity Manager, CA Single Sign-On CA Risk Analytics CA products do this for the data we manage CA Transaction Manager, CA Risk Analytics, Using CA Risk Analytics, issuers can dynamically customize fraud and risk policies settings according to individual financial institution policies. Issuers can use authentication data from CA Risk Analytics to augment risk assessments. The combination of these products will allow you to meet the requirements for strong authentication and transaction monitoring achieving defense in depth for Internet payment transactions. CA Transaction Manager implements 3D Secure (3DS) so that each transaction can be authenticated. CA Risk Analytics provides additional authentication data and an audit trail for each transaction. Case Management capabilities provide true fraud data. CA Transaction Manager implements 3DSe so that each transaction can be authenticated. provides multiple options for multi-factor authentication including OTP via SMS, Mobile OTP app, two-way notifications and unbreachable passwords for both Internet payments and access to sensitive payment data. CA Privileged Identity Manager provides through fine-grained user access controls, shared account password management, authentication bridging and user activity reporting in both physical and virtual environments for privileged user. Provides secure enrollment, FYP and de-provisioning workflows. With, issuers can choose limits for authentication attempts. CA Single Sign-On can incorporate logins from multiple channels. CA Risk Analytics provides real-time analysis of each transaction, applies advanced 3DS authentication models, and produces a score that identifies both legitimate and high-risk transactions. Dynamic rules allow you to apply customized business policies. CA Technologies maintains secure, Payment Card Industry (PCI) compliant, SSAE 16 audited ecommerce Solution data centers so that data transmitted during the authentication process keeps cardholder data protected. CA Transaction Manager and CA Risk Analytics can support customer service managers (CSM) in determining when a potentially fraudulent transaction has occurred. The CSM can then communication this information to the customer. CA Risk Analytics can analyze a transaction and determine its level of risk. It can send an alert to customers, request step-up authentication or deny the transaction based on bank policies. can send an OTP via SMS, email or voice, or initiate two-way customer notification so that the customer can respond immediately to continue a transaction.

5 EXECUTIVE BRIEF AUGUST 2015 ca.com 1 European Banking Authority Final Guidelines on the Security of Internet Payments Press Release London.UK Published 19/12/2014 EBA/GL/2014/12 The European Banking Authority (EBA) published today its final Guidelines on the security of internet payments, which set the minimum security requirements that Payment Services Providers in the EU, will be expected to implement by 1 August 2015. Concerned about the increase in frauds related to internet payments, the EBA decided that the implementation of a more secure framework for Internet payments across the EU was needed. These Guidelines are based on the technical work carried out by the European Forum on the Security of Retail Payments (SecuRe Pay). Among various measures aimed at more efficient and secure internet payments across the EU, the EBA guidelines require in particular that Payment Service Providers (PSPs) carry out strong customer authentication in order to verify the customer identity before proceeding with an on-line payment, one of the key measures to prevent internet fraud, be it through banking services or internet card payments. These Guidelines, which are based on the technical work carried-out by SecuRe Pay -the voluntary cooperation forum reuniting central banks and supervisors of Payment Service Providers -, will be applicable to all PSPs across the EU in a consistent manner as of August 2015. The EBA decided to issue these Guidelines because of the rising levels of fraud observed in internet payments. Latest pan-eu figures showed that fraud on card internet payments alone caused 794 million of losses in 2012 (up by 21.2% from the previous year). A timely and consistent regulatory response was therefore needed while waiting for the revision of the Payment Services Directive which aims at creating a more secure, competitive and consumer-friendly rules for payments in the EU. Geoffroy Goffinet at the EBA Consumer Protection Unit explained that: the EBA guidelines on internet payments provide the legal basis for achieving a level playing field for all PSPs across the EU. Through this piece of work, the EBA looked into supporting the development of e-commerce across the EU, while ensuring proper protection of consumers. PSPs will also be required to provide assistance and guidance to their customers in relation to the secure use of internet payment services. In particular, they will have to initiate customer awareness programmes so as to ensure that their users understand risks and best practices in internet payments. Regarding consumer data protection, the Guidelines foresee that PSPs offering card payment services to e-merchants should encourage them not to store any sensitive payment data or require that they have the necessary measures in place to protect these data. PSPs should also carry out regular checks and if they become aware that an e-merchant handling sensitive payment data does not have the required security measures in place, they should take steps to enforce this as a contractual obligation or terminate the contract. All competent authorities across the EU are expected to comply with these Guidelines by incorporating them into their supervisory practices and amending their legal framework or their supervisory processes accordingly. Note to the editors These Guidelines will provide a solid legal basis for the security of internet payments across all EU Member States while the revised Payment Services Directive (known as PSD2) is finalised in coming years. A consultation on the implementation of these Guidelines was launched in October 2014. The EBA work on this topic results from a concerted effort with the European Central Bank (ECB) to increase the security of retail payments and was developed on the basis of the recommendations issued in January 2013 by the European Forum on the Security of Retail Payments (SecuRe Pay). SecuRe Pay was established in 2011 as a voluntary cooperation between supervisors of Payment Service Providers (PSPs) and overseers of payment systems and payment schemes/instruments within the EU/EEA with the aim of facilitating knowledge sharing and understanding of security of electronic payment services and instruments. Press contacts: Ms. Franca Rosa Congiu E-mail: press@eba.europa.eu Tel: +44 (0) 207 382 1772

6 EXECUTIVE BRIEF AUGUST 2015 Connect with CA Technologies at ca.com CA Technologies (NASDAQ: CA) creates software that fuels transformation for companies and enables them to seize the opportunities of the application economy. Software is at the heart of every business, in every industry. From planning to development to management and security, CA is working with companies worldwide to change the way we live, transact and communicate across mobile, private and public cloud, distributed and mainframe environments. Learn more at ca.com. 1 See http://www.eba.europa.eu/regulation-and-policy/consumer-protection-and-financial-innovation/guidelines-on-the-security-of-internetpayments 2 See http://www.ecb.europa.eu/pub/pdf/other/cardfraudreport201402en.pdf 3 For the purposes of the EBA guidelines, strong customer authentication is defined as a procedure based on the use of two or more of the following elements categorized as knowledge, ownership and inherence: i) something only the user knows, e.g., static password, code, personal identification number; ii) something only the user possesses, e.g., token, smart card, mobile phone; iii) something the user is, e.g., biometric characteristic, such as a fingerprint. In addition, the elements selected must be mutually independent I.e., the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the Internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data. 4 Source: CA Technologies data 4th quarter of calendar year 04. Copyright 2015 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without limitation, lost profits, business interruption, goodwill or lost data, even if CA is expressly advised in advance of the possibility of such damages. Some information in this publication is based upon CA s experiences with the referenced software product in a variety of development and customer environments. Past performance of the software product in such development and customer environments is not indicative of the future performance of such software product in identical, similar or different environments. CA does not warrant that the software product will operate as specifically set forth in this publication. CA will support the referenced product only in accordance with (i) the documentation and specifications provided with the referenced product, and (ii) CA s then-current maintenance and support policy for the referenced product. CA does not provide legal advice. Neither this document nor any CA software product referenced herein shall serve as a substitute for your compliance with any laws (including but not limited to any act, statute, regulation, rule, directive, policy, standard, guideline, measure, requirement, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. You should consult with competent legal counsel regarding any Laws referenced herein. CS200-146477_0815

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback