Among much else, the new instructions [PDF] seem to require payment service providers (PSPs) to ensure two-factor authentication (2FA) is used to verify the identity and intentions of all customers in online transactions.
The EBA started work on the guidelines in October, launching a consultation period to gather the input of the banks and other bodies involved in online money transfers.
The main target of the guidance are the PSPs, the companies who sit between websites and banks to facilitate money transfers – the likes of PayPal and SagePay will be familiar to many, and security-watchers will surely recognise names like Heartland and WorldPay.
The responses from the PSPs leaned heavily towards not issuing the guidelines, with most respondents preferring to wait for beefier regulation in the upcoming revision of the EU’s Payment Services Directive (PSD2).
However with PSD2 not expected to come into force until 2016 or 2017, the EBA opted to release its own guidance early to ensure customers get the best protection possible in what are seen to be highly dangerous times for anyone buying or selling online.
The bulk of the guidelines deal with the nitty-gritty of securing payments, detailing things like risk assessment, traceability and incident reporting. There’s a heavy customer focus too though, with plenty of guidance on what information and advice should be provided to customers.
The most interesting part comes in section 7 of the guidelines, which requires, with some minor room for maneuver, the use of “strong customer authentication”:
The initiation of internet payments, as well as access to sensitive payment data, should be protected by strong customer authentication. PSPs should have a strong customer authentication procedure in line with the definition provided in these guidelines.
Early in the document the phrase “strong customer authentication” is defined as follows:
Strong customer authentication is, for the purpose of these guidelines, a procedure based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence: i) something only the user knows, e.g. static password, code, personal identification number; ii) something only the user possesses, e.g. token, smart card, mobile phone; iii) something the user is, e.g. biometric characteristic, such as a fingerprint. In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.
So by the sounds of it, the EBA is basically committing PSPs to introducing full and proper 2FA to all regular online transactions.
With the guidelines due to come into force in August of 2015, that really doesn’t leave much time for a major step forward in the levels of security implemented by most sites and services. And it’s not so surprising that the consultation period met so much resistance from those tasked with getting this all in place.
Of course these are just “guidelines”, but they should have some teeth. At the very least, they will put the idea of strong security everywhere firmly in the minds of the people building the back-end payment systems which underpin so much of what we do online.
That should mean a considerably safer future for all of us, although it remains to be seen whether it will really arrive by next August.
Learn more about two-factor authentication
• The power of two – All you need to know about 2FA
• 2FA: Understanding the options
• Sophos Techknow podcast- Two-factor Authentication [PODCAST]