EBA Guidelines on Internet Payments Security 2015

Editorial & Advertiser disclosure

Global Banking & Finance Review® is an online platform offering news, analysis, and opinion on the latest trends, developments, and innovations in the banking and finance industry worldwide. The platform covers a diverse range of topics, including banking, insurance, investment, wealth management, fintech, and regulatory issues. The website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

By Thorsten Trapp, CTO and co-founder, tyntec

Concerned about the increase in internet fraud related to online payments, the European Banking Authority (EBA) recently decided that the implementation of a more secure framework for internet payments across the EU was needed. Released in December 2014, the EBA’s guidelines on the security of internet payments set out the minimum requirements that Payment Services Providers (PSPs) in all 28 EU member states will be expected to implement by 1 August 2015.

The guidelines require that PSPs “carry out strong customer authentication” to verify the identity and intentions of all customers in online transactions. This is a welcome development as the latest pan-EU figures showed that fraud on card internet payments alone caused €794 million of losses in 2012 (up by 21.2% from the previous year.

“Strong customer authentication” is defined as something that employs the use of two or more elements to verify a person’s identity, so two-factor authentication is an obvious choice as a minimum standard.

What is two-factor authentication?

Two-factor authentication (2FA)is a security process in which the user is asked to provide two means of identification in order to access private information or complete a task, such as an online payment. Typically, the process will require the user to make use of something they “have” such as a physical object, like a phone or a token, or a unique physical identifier, like a fingerprint, in addition to offering up information they “know”, like a password.

Choosing the right solution

Thorsten Trapp

Thorsten Trapp

The EBA’s guidelines stipulate that the authentication method usedmust meet the following criteria: “mutually independent”, “not reusable”, “non-replicable” and “cannot be stolen off the internet”. This means that while there are many different types of two-factor authentication, not all methods are compliant. In addition, PSPs will need to consider specific requirements determined by country-level mandates and will want a solution that is easy to use,cost-effective and easy to deploy.

Biometric data is one example which offers a strong authentication method but poses usability problems in a mobile environment and can cause issues related to data protection and privacy.Fingerprints can occasionally become unreadable due to cuts or bruises and glasses can prevent an iris from being recognised.No doubt this technology will improve with time but in its current form there is a distinct lack of understanding and practicality which makes it a difficult investment for PSPs to commit to in order to meet stipulated guidelines.

In contrast, SMS-based 2FA is one solution which PSPs can viably consider investing in now due to its user friendly nature, economic cost structure and security effectiveness. Practically, this solution involves sending a One-Time Password (OTP) via SMS to a registered mobile number – a process consumers are already familiar with in their day-to-day lives. It requires the end-user to enter his or her password online after which they will receive an OTP in the form of a text message which can be entered to complete the authentication process. As a result, OTP SMS, an out-of-band two-factor authentication, meets the EBA’s security requirements of “strong customer authentication”and is user friendly, universally accessible, simple to deploy, and cost effective.

Given the expansive reach and ubiquity of SMS, sending security codes via this medium provides an effective solution for service providers looking to provide increased security for their customers whilst adhering to the EBA’s guidelines.

The SMS-based 2FA implementation challenge

The EBA’s guidelines will no doubt spark a flurry of activity as PSPs look to strengthen their online security measures. However, it’s important that companies take the time to carefully consider how they can effectively deploy an SMS-based 2FA strategy.

From an implementation standpoint, PSPs would be wise to work with OTP SMS specialists who can handle the mission-critical nature of the messaging service in terms of speed, delivery rate and coverage.Using SMS-based 2FA as an example, working with a reputable provider will ensure that you have access to a strong infrastructure in order to transmit SMS traffic securely and can provide real-time visibility checks of whether a mobile number is valid or not. This significantly reduces the likelihood of OTP failure making the solution significantly more effective for those using it.

With the guidelines due to come into force in August, there really isn’t much time before we start seeing a major step forward in the levels of security implemented by websites and online services. These regulations will put the idea of strong online security measures firmly in the minds of PSPs and cause them to look at how they can implement effective 2FA strategies in order to adhere to the guidelines of the EBA,or risk having to justify their non-compliance.