At the Europe Community Meeting in London this week, a panel of European industry associations and standards organizations discussed challenges in payment security and the importance of collaboration. Panelist Oscar Covers, cyber security analyst for PCI SSC Affiliate Member Dutch Payments Association and chair of the European Card Payment Association (ECPA) security working group, shares his perspective on leading payment security issues in the region and the value of working together and sharing information across the industry in Europe and globally.
What are the top payment security challenges you see in Europe today?
Oscar Covers: It is difficult to predict how the European payment market will develop. Contactless payment methods and the mobile device will get a prominent place. It is for sure that the new European Payment Service Directive (PSD2) will lead to changes in the payments landscape. For instance, PSD2 offers the possibility to develop new payment methods based on the SEPA credit transfer (SCT) by third parties. Innovation is one driver behind PSD2, more security is another. The regulatory technical standards (RTS) on Strong Customer Authentication (SCA) and Secure Communication accompanying PSD2 detail the PSD2 requirements for SCA. The RTS also describe the possible exemptions from the SCA requirements, for instance contactless card payments and based on Transaction Risk Analysis (TRA). The new security requirements will impact the current popular one-click payments and other seamless ways of payment customers just got used to.
How do you think merchants will adapt to PSD2, especially around strong customer authentication?
Oscar Covers: The challenge for banks and card issuers is to combine and integrate a good customer experience with SCA. I believe that the retailer, its payment processor and/or acquirer will work closely together to interpret and implement this regulation. The focus will be on the customer journey. The merchant likes a smooth payment process to reach maximum conversion. The chance the customer will abort the purchase because of a troublesome process is their shared nightmare, so I expect the development of smart solutions that recognize the customer in an early stage of the customer journey as a stepping stone towards strong customer authentication. The mobile phone will become an important instrument because it can perform all kinds of security functions, including biometric authentication which can be smoothly integrated in a payment process.
In addition to your work at Dutch Payments Association, you are a member of several national and international security and industry groups, including ECPA and PCI SSC. How does collaboration between these different industry bodies help to ensure the flow of a secure payment transaction?
Oscar Covers: In Europe the understanding grows that competition on security makes no sense. As a result, the European banks and payment institutions work more and more together to make electronic payments safer and to fight fraud. In the various European and national forums newly discovered fraud methods are shared, analyzed and effective countermeasure are exchanged. This has proven to be effective to reduce fraud and to increase the trust in electronic payments.
I am happy to share these positive experiences with PCI SSC participants. From the PCI SSC working groups and participants, I learn a lot concerning international trends, and involvement in the PCI Council gives me a good collaboration network that is in return very valuable to me.
What do you see for the future of security standards development as technology continues to evolve so rapidly?
Oscar Covers: I believe the need for standardization should not hamper innovation in security technology. We should focus on the objectives and once innovative technology is mature enough it should be standardized. Standardization remains important to achieve economies of scale.
