This means no sharing of any personalised security credentials with third parties, according to Javier Santamaría, European Payments Council (EPC) Chair. Further considerations on the topic you will find below, as they were presented by Santamaria on the EPC blog.
At a time when everyone is discussing how to increase security and data protection in the digital world, the Commission effectively asks the EU co-legislators to tear down the ‘firewalls’ protecting consumers when making internet payments. Specifically, the Commission proposes abandoning the principle established with Article 56 of the PSD currently in effect that under no circumstances should a consumer share his or her personalised security credentials with third parties.
Personalised security features include, for example, passwords and personal identification numbers (PINs) as well as mobile or indexed transaction authorisation numbers (TANs). Third parties are any party, including those offering payment initiation services, other than the account servicing payment service provider issuing such credentials to the account holder, i.e. the consumer.
The EPC strongly recommends maintaining the principle that a consumer should never have to share his or her personal security credentials with third parties. This is a pre-condition to ensuring the continued security of consumer’s funds and data in the online banking environment.
The working party of the Council of the EU, tasked with reviewing the proposed PSD2, considers introducing the concept of “re-usable” and “non re-usable” personalised security features. According to the working party, “credentials which by their nature are non-specific to an individual authentication session and which might be re-used for other purposes (than the original authentication)” would be considered “re-usable” personal security credentials.
The EU Council’s working party recommends that consumers should not share “re-usable” credentials with parties other than their own account servicing payment service provider. However, the working party endorses that consumers may disclose “non re-usable” personalised security credentials to third parties. This concept is based on the (erroneous) assumption that “non re-usable” credentials would not be vulnerable to being misused.
Introducing the concept of “re-usable” and “non re-usable” security credentials requiring consumers to identify what is what, (and what to share or not with third parties), would add a level of complexity which might result in consequences surely not intended by the EU co-legislators: firstly, as opposed to making internet payments more convenient, these would become more cumbersome. Secondly, considering that “non re-usable” personalised security credentials are as vulnerable to misuse as are “re-usable” ones, the concept now contemplated by the working party of the Council of the EU might result in a lack of consumer trust in online payments.
The only way forward to ensure an adequate level of consumer protection with the forthcoming PSD2 is to maintain trust and guarantee minimal risk exposure for consumers in the area of online payments. This includes establishing a clear liability model based on the principle that consumers must not share any personalised security credentials with any other party than the consumer’s own payment service provider. This approach allows conveying straightforward security advice to consumers with respect to online payments involving third parties that can easily be understood and adhered to.
With its legal opinion on the proposed PSD2 published in February 2014, the European Central Bank (ECB) states: “In order to combine security requirements and customer protection with the idea of open access to payment account services, the ECB suggests that customers are appropriately authenticated by relying on a strong customer authentication system. TPPs [third party payment service providers] could ensure this through either redirecting the payer in a secure manner to their account servicing payment service provider or issuing their own personalised security features. Both options should form part of a standardised European interface for payment account access. This interface should be based on an open European standard and allow any TPP to access payment accounts at any PSP [payment service provider] throughout the [European] Union.”
The EPC invites the EU co-legislators, i.e. the Council of the EU and the European Parliament, to take these proposals by the European Central Bank into consideration during the ongoing review and further dialogue on the proposed PSD2.
Lowering consumer protection standards in the area of payment initiation services is not the appropriate means to incentivise innovation and competition to the benefit of payers (consumers) and payees (merchants). Rather, it risks resulting in the opposite of the stated intentions. The EPC has repeatedly stressed: Convenience is a priority. Security is indispensable. Promoting payment innovation to the benefit of both payers and payees requires combining the two.
Anyone with an interest in incentivising payers and payees to embrace innovative payment solutions – regardless of whether these are offered by ‘banks’ or ‘non-banks’, existing or new players – should adhere to the principle of ‘safety first’. The impact of any security breach on consumers’ trust in forward-looking payment technologies will hardly be conducive to realising the Commission’s “Digital Agenda” and vision of Europe being “at the cutting edge of what ‘making a payment’ could mean in the future.”
„Tendinţele pe care le-am remarcat înainte de începerea pandemiei s-au accelerat pe perioada stării de urgenţă. Am văzut acest lucru ca o oportunitate, un tipping point pentru bancă. Post-pandemie nu avem cum sa ne întoarcem la comportamentul financiar pe care îl aveam până în februarie a.c. Relaţia românilor cu online-ul s-a schimbat. In plus, cardul fizic se va dematerializa. Vom asista la o scădere a cererii pentru cardurile fizice, respectiv la o creştere a preferinţei pentru componenta digitală a acestora.”