New payment services lack security standards, officials warn
Proposed rule changes designed to introduce more competition in the credit and debit card markets lack standards to protect consumers from fraud and data security breaches, officials told the European Parliament on Tuesday (7 January).
The European Commission published its update of the Payment Services Directive in July last year, aiming to cover regulatory and security challenges posed by a range of existing card and new mobile payments services expected to explode onto the European scene over the next two years.
Under the proposed rules new third-party providers of payments services – which include large retail companies such as Carrefour and Tesco and many mobile operators – will be able to access customer banks to effect transactions.
But a roundtable on the proposed law, held in the European Parliament yesterday, heard that the draft rules do not go far enough to protect consumers, with EU policymakers strongly arguing in favour of new standards.
Pierre Petit, a deputy director-general of the European Central Bank working on payments and markets infrastructure, told the meeting that he had concerns over security.
Petit said a key challenge of the new rules would be to reconcile the right of new market entrants to compete on a level playing field with security issues.
“Frankly speaking let me say that everything that is needed [to protect the consumer] is missing [from the proposal] on data protection,” Giovanni Butarelli, the assistant European Data Protection Supervisor (EDPS), told the round table, organised by the Parliament’s economic and monetary affairs committee. The EDPS acts as the EU’s watchdog data protection issues.
Butarelli said one of the key concerns of his office was “the increasingly significant amount of personal details processed by stakeholders, including names, personal data, bank numbers, contacts and so on.”
Current provisions require third party payment service providers to abide by existing e-privacy rules, but Butarelli said that did not go far enough.
“It should be ensured that different actors only process what data is necessary, for example mobile operators should not have content detail information. So there should be simple details available to them,” Butarelli added.
Standard interface required
Petit said that a single standard interface between the third parties and banks and consumers was required as a “magic solution”.
M-payments describe many already existing payments methods, including so-called "digital wallets" which includes software platforms to consumers' existing banking cards and facilities, and other distinct payments services.
At the moment these services are much more popular in the US than in Europe, but an unprecedented number of different players is jostling to gain ground in the market.
Retailers such as McDonald's, for example, are evolving from cash and card transactions to contactless cards, allowing consumers to just ‘tap’ the card or the mobile phone.
These innovations are migrating to smartphones, so customers can download an app, pre-order goods before they arrive in a shop, select a time they want to pick them up and pay using the phone’s app.
The updated Payment Services Directive (PSD II), published by the European Commission last July, aims to cover regulatory and security challenges posed by a range of new mobile payments services expected to explode onto the European scene over the next two years.
The new rules form part of the Commission’s broader aim to promote a single European Payments Area (SEPA) and will seek to create a more competitive payments card market that reflects the explosion in the use of online and mobile payments.
According to a draft of the new rules, the EU executive earmarked as a key source of concern “the legal vacuum for certain newly emerged internet service providers, such as third-party service providers offering online banking-based payment initiation”.
“I trust the inventive spirit of fraudsters, and in this respect we are concerned about the details of consumers used for online banking being provided to any party,” said Farid Aliyev, the financial services officer at European consumer group BEUC.
“This is a niche but fast growing market and new actors will emerge and once [it takes off] it will certainly attract fraudsters. The solution we see would be for third party providers accessing consumer data not to be able see all the details, and given only a specific remit to access the information.”
- February 2014: European Parliament to debate proposed updated Payment Services Directive proposal