New EU Rules could force extra security procedures on every online payment over €10 – Hayes
Brian Hayes MEP today said that proposed EU rules are on the table which would force customers to input additional security authentication information for every online purchase over €10.
“An attempt is being made through secondary EU legislation to rewrite the rules on how payment service providers have to verify customer details when making online payments.
“The Payment Services Directive II, which was adopted by the European Parliament in October 2015, broadly sets the groundwork for how customers authenticate themselves for online purchases. The mandate was then passed onto the European Banking Authority to flesh out the precise technical details on how exactly customer authentication should work in practice. This legislative process entitled ‘Delegated Acts’ has become more and more common following the Lisbon Treaty but it essentially gives more of a role to Supervisory Authorities like the EBA to conjure major changes with so-called technical amendments.
“The problem here is that the EBA has proposed a completely disproportionate approach for online payments. It has proposed that customers should provide extra security authentication for every online purchase over €10. Additionally, for contactless payment at the point of sale, extra security authentication would be required for any purchase over €50 under the EBA proposals.
“MEPs and Member States were very clear when they adopted the Payment Services Directive that customer authentication should be based on ‘the level of risk involved in the service provided’ as set out in Article 98.
“We all want the best security when we make online payments or payments at the point of sale. Fraud is a major challenge and we cannot allow for fraudsters to easily access customers financial information. But applying these harsh thresholds through a one-size-fits-all approach is completely disproportionate. It would make online shopping a much more onerous task, especially for those who are not particularly tech-savvy.
“There needs to be a risk-based approach to customer authentication. Risk-based authentication is already used in many EU countries and has been very effective at reducing fraud. Payment service providers can use a system of risk profiling where a transaction can go through a number of checks such as: i) is this normal activity for the customer, ii) is this a regular device they are using; iii) is their location consistent with previous purchases?; iv) is this merchant susceptible to fraud? v) is this a normal transaction with the merchant? All of these checks must be completed before the transaction either goes to customer authentication procedure or is allowed to pass.
“The EBA’s proposal is currently being scrutinised by the European Parliament and Council. Most likely in the second half of 2017 this will come for a vote before both institutions.”