“Restrictive” readings by the EBA would lead to “significant market disruptions”

EPSM, a European payment services industry group, has called for a minimum 18-month delay to the introduction of Strong Customer Authentication (SCA) rules under PSD2 – just eight weeks ahead of a looming deadline for implementation.

In a desperate plea to regulators for an extension, the 67-member organisation, whose members provide a range of payment services to merchants, warned of “significant market disruptions” and “a disaster for consumers and PSPs [payment service providers]” without a grace period for industry to get its house in order.

“EPSM recommends that additional timeframes of 18 months for standard applications and up to 36 months for challenging applications, (e.g. in the travel and hospitality sector) across all regions should be agreed in a harmonised migration approach” the lobby group said, warning of business disruption risks without flexibility.

What is Strong Customer Authentication?

SCA, to be introduced September 14, requires robust additional security authentications for a majority of online transactions over €30 (£26.95). The rules are being introduced in a bid to tackle payment fraud. (A report published today by consultancy Crowe, with the Centre for Counter Fraud Studies at the University of Portsmouth, says fraud – of which payments fraud is a substantial component – costs the UK £130 billion each year).

Regulatory technical standards (RTS) for SCA were adopted by the European Parliament in March 2018. The aim is to increase the security of electronic payments over by introducing two-factor authentication (2FA) – for all transactions over €30 that fall under the scope of the rules. These include credit transfer via online banking, standard ecommerce card payments, card payments at POS (chip and pin) and more.

Yet the EPSM claims many questions about implementation remain unanswered, saying this week that “a lot of questions regarding the interpretation of the legal texts have been addressed to EBA [European Banking Authority]. Unfortunately, only a small number has been answered and a high level of uncertainty remains.”

The EBA did not respond to a request for comment from Computer Business Review.

“Significant Market Disruptions” – The EPSM’s Specific Fears

EPSM notes: “According to a restrictive reading of the RTS by EBA, the online payment method ‘Remote card payment using OTP [one-time password], 3DS [an XML-based protocol designed as an additional security layer for online card transactions] and card data will not be allowed without e.g. an additional password or biometry, even if secured by EMV 3DS 2.x (the highest security level possible).

It adds: “This would lead to significant market disruptions.”

When SCA is applied, two-factor authentication is required. This includes a combination of the following:

Possession: something only the user possesses (a card, a mobile phone, etc.)

Knowledge: something only the consumer knows

Inherence: something the user is (biometric identification like fingerprint, iris or voice recognition, etc.)

The EPSM is calling on the EPA to belatedly change the rules and acknowledge that the combined use of card data (as “knowledge”; the current EBA opinion is that this is not compliant); OTP as “ownership” (the EBA opinion is that this is compliant) and EMV 3DS as “inherence (the EBA opinion being that this is not compliant) is a valid SCA method.

“Organisations did not Consider the Complexity “

SCA expert Mike Lynch, Chief Strategy and Product Officer, Deep Labs told Computer Business Review that he thought that the EBA had been clear, but that implementing solutions was complex and industry was only just realising the issue.

“The guidance is very prescriptive for SCA, and in my opinion has been very clear, but it requires a deep understanding of technical and security components that could meet the requirements.

“It has been clear from the start to certain experts that OTP, for example, would not meet the requirements. Yet many felt something like an SMS OTP, which is completely insecure and does not meet all the requirements of the articles, would suffice.”

He added: “[As well as 2FA], strong customer authentication requires: secure communication sessions so that an authentication code or push notification cannot be altered or intercepted; software authenticity, maintained through tamper-proof features to ensure that the amount of the transaction and the payee/beneficiary of the transaction are safeguarded during all phases of the authentication, including generation, transmission, and usage, and separate and secure execution environments, as per the [PSD2] articles. [These include]

the use of separated secure execution environments through the software installed inside the multi-purpose device;

mechanisms to ensure that the software or device has not been altered by the payer or by a third party;

where alterations have taken place, mechanisms to mitigate the consequences thereof.

Mike Lynch added: “To solve these, SCA needs a: secure, separate execution environment via the client banking app and security protections along the transmission path such as encryption; b: application validation, ensuring that the installed banking application code has not been altered or tampered with in any way and likely root/jailbreak detection and malware/crimeware detection to ensure the device has not been altered.”

He concluded: “Now that organizations realize that a much more complex solution must be built, they are likely behind the curve… The correct solution will not create market disruptions. Launching an insecure solution would. The bigger issue is that organizations did not consider the complexity and now are realizing that they need extended time to build a solution.”