12 June 2014

European Payments Council calls on EU lawmakers to maintain the firewall protecting consumers making internet payments

In its blog, the EPC addresses the sharing of personalised security credentials. The EPC strongly recommends maintaining the principle that a consumer should never have to share his or her personal security credentials with third parties.

The Commission stated in its related ‘Frequently Asked Questions’ that its proposal for PSD2 aims, among other things, to “take account of new types of payment services (such as payment initiation services offered in the context of e-commerce)” and to ensure “a high level of consumer protection and of payments security”. It is the task of the European Parliament and the Council of the EU to determine whether the new rules related to payment initiation or payment account information services proposed by the Commission indeed ensure a high level of consumer protection and payments security.

In the view of the European Payments Council (EPC), this is not the case. Rather, at a time when everyone is discussing how to increase security and data protection in the digital world, the Commission effectively asks the EU co-legislators to tear down the ‘firewalls’ protecting consumers when making internet payments. Specifically, the Commission proposes abandoning the principle established with Article 56 of the PSD currently in effect that under no circumstances should a consumer share his or her personalised security credentials with third parties. Personalised security features include, for example, passwords and personal identification numbers (PINs) as well as mobile or indexed transaction authorisation numbers (TANs). Third parties are any party, including those offering payment initiation services, other than the account servicing payment service provider issuing such credentials to the account holder, i.e. the consumer.

The EPC strongly recommends maintaining the principle that a consumer should never have to share his or her personal security credentials with third parties. This is a pre-condition to ensuring the continued security of consumer’s funds and data in the online banking environment.

The EPC believes that it is not feasible to clearly define – and, for consumers, to distinguish between – “re-usable” and “non-reusable” credentials. Consequently, the EPC emphasises that the principle to not disclose personalised security credentials should continue to apply with regard to any such credentials regardless of whether these are “re-usable” or not.

Instead of lowering consumer protection standards, the EPC advocates taking into account the principles outlined in the legal opinion of the European Central Bank on the proposed PSD2 with regard to consumer protection and open access to payment account services.

Full blog

© EPC