ECB launches public consultation on Recommendations for the security of mobile payments

20 November 2013

The Governing Council of the ECB has launched a public consultation on the "Recommendations for the security of mobile payments", in the context of the work undertaken by the European Forum on the Security of Retail Payments. Comments are requested by 31 January, 2014.

The use of mobile devices and technologies for payments creates new risks to the security of payments. There are several reasons for that:

• the current generation of mobile devices and their operating systems was generally not designed with the security of payments in mind.
• the use of radio technology for the transmission of sensitive payment data and personal data exposes mobile payments to risks that other payments do not entail.
• compared with traditional payments, mobile payments involve new actors, including mobile network operators.
• the general public may be less aware of information security risks when using mobile devices compared with when making internet payments from desktop PCs or laptops at home.

For these reasons – and notwithstanding the fact that mobile payments are still at an early stage of development and deployment – the Forum has prepared draft recommendations for the security of mobile payments. This work also has the benefit of developing a harmonised European approach to solutions that have the potential to develop more easily than traditional payments, also across national borders.

The present draft recommendations cover all payments in which the mobile device of a customer is used as a device to initiate a payment, except when the customer only uses a web browser to access the internet. In the latter case, the payment is considered as an internet payment, which is covered by the “Recommendations for the security of internet payments”. In practice, the present draft recommendations cover the following three categories of payments:

• contactless payments (e.g. using NFC technology),
• payments using a mobile payment application (“app”) previously downloaded onto the customer’s mobile device, and
• payments via a mobile network operator’s channel (using SMS, USSD or voice technology) with no specific “app” previously downloaded onto the customer’s mobile device (hereafter referred to as “SMS payments”).

Among the issues market participants may wish to comment on, the Forum would like to highlight the following two. The first is whether it is justified to maintain SMS payments within the scope of the report and, if so, how far the proposed recommendations would appropriately cover these payments. The second issue relates to the requirement of strong customer authentication for mobile payments and, in particular, an exemption from that requirement that could be considered for predefined categories of low-risk transactions based on a transaction risk analysis. Such an exemption would align the present recommendations with those the Forum developed for internet payments. At the same time, however, it would create a difference in security requirements compared with those for “card-present” payments, which may be difficult to justify. On both issues, views of market participants would provide important input for the finalisation of the work of the Forum on mobile payments.

All interested parties are invited to comment on the draft “Recommendations for the security of mobile payments” by 31 January, 2014.

Press release

Draft recommendations

Template for comments

© ECB - European Central Bank