On 15 November 2013 the Governing Council of the European Central Bank (ECB) decided to launch a public consultation on the “Recommendations for the security of mobile payments”, in the context of the work undertaken by the European Forum on the Security of Retail Payments.
The Forum was established in 2011 as a voluntary cooperative initiative between relevant authorities from the European Economic Area – supervisors of payment service providers and overseers in particular – formed with the objective of facilitating common knowledge and understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations. A report on the security of internet payments was issued for public consultation in April 2012, followed by a report on “payment account access” services in January 2013. The current draft report on the security of mobile payments is the third of its kind.
The use of mobile devices and technologies for payments creates new risks to the security of payments. There are several reasons for that. First, the current generation of mobile devices and their operating systems was generally not designed with the security of payments in mind. Second, the use of radio technology for the transmission of sensitive payment data and personal data exposes mobile payments to risks that other payments do not entail. Third, compared with traditional payments, mobile payments involve new actors, including mobile network operators. The general public, finally, may be less aware of information security risks when using mobile devices compared with when making internet payments from desktop PCs or laptops at home. For these reasons – and notwithstanding the fact that mobile payments are still at an early stage of development and deployment – the Forum has prepared draft recommendations for the security of mobile payments. This work also has the benefit of developing a harmonised European approach to solutions that have the potential to develop more easily than traditional payments, also across national borders.
The present draft recommendations cover all payments in which the mobile device of a customer is used as a device to initiate a payment, except when the customer only uses a web browser to access the internet. In the latter case, the payment is considered as an internet payment, which is covered by the “Recommendations for the security of internet payments”. In practice, the present draft recommendations cover the following three categories of payments: contactless payments (e.g. using NFC technology), payments using a mobile payment application (“app”) previously downloaded onto the customer’s mobile device, and payments via a mobile network operator’s channel (using SMS, USSD or voice technology) with no specific “app” previously downloaded onto the customer’s mobile device (hereafter referred to as “SMS payments”).
Among the issues market participants may wish to comment on, the Forum would like to highlight the following two. The first is whether it is justified to maintain SMS payments within the scope of the report and, if so, how far the proposed recommendations would appropriately cover these payments. The second issue relates to the requirement of strong customer authentication for mobile payments and, in particular, an exemption from that requirement that could be considered for predefined categories of low-risk transactions based on a transaction risk analysis. Such an exemption would align the present recommendations with those the Forum developed for internet payments. At the same time, however, it would create a difference in security requirements compared with those for “card-present” payments, which may be difficult to justify. On both issues, views of market participants would provide important input for the finalisation of the work of the Forum on mobile payments.
Invitation to comment
All interested parties are invited to comment on the draft “Recommendations for the security of mobile payments”.
The respective national central banks and national supervisors of payment service providers will serve as contact points for market participants in their country and provide further information and/or answer questions regarding these recommendations.
Any comments received will be published on the internet, unless it is clearly indicated that the author does not consent to such publication. Comments should only be made using the response template provided and should be submitted to the ECB in English or in the relevant official EU language.
31 January 2014
Address for submission:
European Central Bank
D-60311 Frankfurt am Main
Fax: +49 69 1344 6170
For media queries, please contact Andreas Adriano, Tel.: +49 69 1344 8035.