ECB launches public consultation on Recommendations for the Security of mobile payments

(PresseBox) ( Frankfurt am Main, )
On 15 November 2013 the Governing Council of the European Central Bank (ECB) decided to launch a public consultation on the "Recommendations for the security of mobile payments", in the context of the work undertaken by the European Forum on the Security of Retail Payments.

The Forum was established in 2011 as a voluntary cooperative initiative between relevant authorities from the European Economic Area - supervisors of payment service providers and overseers in particular - formed with the objective of facilitating common knowledge and understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations. A report on the security of internet payments was issued for public consultation in April 2012, followed by a report on "payment account access" services in January 2013. The current draft report on the security of mobile payments is the third of its kind.

The use of mobile devices and technologies for payments creates new risks to the security of payments. There are several reasons for that. First, the current generation of mobile devices and their operating systems was generally not designed with the security of payments in mind. Second, the use of radio technology for the transmission of sensitive payment data and personal data exposes mobile payments to risks that other payments do not entail. Third, compared with traditional payments, mobile payments involve new actors, including mobile network operators. The general public, finally, may be less aware of information security risks when using mobile devices compared with when making internet payments from desktop PCs or laptops at home. For these reasons - and notwithstanding the fact that mobile payments are still at an early stage of development and deployment - the Forum has prepared draft recommendations for the security of mobile payments. This work also has the benefit of developing a harmonised European approach to solutions that have the potential to develop more easily than traditional payments, also across national borders.

The present draft recommendations cover all payments in which the mobile device of a customer is used as a device to initiate a payment, except when the customer only uses a web browser to access the internet. In the latter case, the payment is considered as an internet payment, which is covered by the "Recommendations for the security of internet payments". In practice, the present draft recommendations cover the following three categories of payments: contactless payments (e.g. using NFC technology), payments using a mobile payment application ("app") previously downloaded onto the customer's mobile device, and payments via a mobile network operator's channel (using SMS, USSD or voice technology) with no specific "app" previously downloaded onto the customer's mobile device (hereafter referred to as "SMS payments").

Among the issues market participants may wish to comment on, the Forum would like to highlight the following two. The first is whether it is justified to maintain SMS payments within the scope of the report and, if so, how far the proposed recommendations would appropriately cover these payments. The second issue relates to the requirement of strong customer authentication for mobile payments and, in particular, an exemption from that requirement that could be considered for predefined categories of low-risk transactions based on a transaction risk analysis. Such an exemption would align the present recommendations with those the Forum developed for internet payments. At the same time, however, it would create a difference in security requirements compared with those for "card-present" payments, which may be difficult to justify. On both issues, views of market participants would provide important input for the finalisation of the work of the Forum on mobile payments.

All interested parties are invited to comment on the draft "Recommendations for the security of mobile payments" by 31 January 2014.

The report, as well as detailed information on how to participate in the consultation, is available on the ECB's website.
The publisher indicated in each case is solely responsible for the press releases above, the event or job offer displayed, and the image and sound material used (see company info when clicking on image/message title or company info right column). As a rule, the publisher is also the author of the press releases and the attached image, sound and information material.
The use of information published here for personal information and editorial processing is generally free of charge. Please clarify any copyright issues with the stated publisher before further use. In the event of publication, please send a specimen copy to