Out-Law News 3 min. read
12 Jul 2013, 4:25 pm
As part of the Single European Payments Area (SEPA) card framework initiative, which covers the payment function of euro card payments, the EPC has launched a consultation on the security requirements that should be applied to remote euro payments with cards(37-page / 762KB PDF) in SEPA. It said that PCI DSS (Payment Card Industry Data Security Standards) should apply where card payment processing is undertaken via "virtual point of interaction (POI)" systems.
"A virtual POI is web-browser based access to an acquirer, processor or third party service provider website to authorise payment card transactions, whereby the merchant manually enters (M)RP ((Mobile) Remote Payment) data via a securely connected web browser," the consultation paper said. "Alternatively depending upon the systems used ... this may also be automated. Unlike physical POI, virtual POIs do not read data directly from a payment card. As a result of this, virtual POIs are typically used instead of physical POIs in merchant environments undertaking mail order or telephone orders (MOTO)."
"These merchants process cardholder data via a virtual POI and do not store cardholder data on any computer system. These virtual POIs are either integrated in the merchant system or connected to the internet to access a third party that hosts the virtual POI payment processing function (payment gateway). This third party may be a processor, acquirer, or other third-party service provider who stores, processes, and/or transmits cardholder data to authorise and/or settle merchants’ virtual terminal payment transactions," it said.
"When using a Virtual POI it shall be conformant to the requirements of the PCI DSS to ensure the protection of the cardholder data throughout the transaction process," the EPC's paper said.
PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions.
The EPC's plans would also require retailers that use other systems for processing remote card payments in euros to conform to a number of other PCI standards.
Technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said the inclusion of PCI standards in the EPC's proposals "is a further step towards giving PCI standards broad legal force across Europe".
"PCI standards are developed and policed by card schemes, not governments or parliaments, but they have been given legal status previously," McFadyen said. "This happened in 2010 in Nevada when compliance was mandated under state law. In the UK, though, compliance with PCI standards have been remained broadly as a contractual obligation."
"However, the Information Commissioner's Office effectively made compliance with PCI DSS the law in 2011 after identifying payment card data security failings with cosmetics retailer Lush. The ICO said that compliance with PCI DSS, or with equivalent data security standards, would be required if retailers were to avoid being issued with fines for breaching the Data Protection Act," he said.
"Differing interpretation of what compliance with PCI standards requires in practice by different Qualified Security Assessor (QSA) companies has caused problems in the past, and this problem looks likely to increase with the greater emphasis that will be placed on PCI standards compliance under the EPC's plans. All of this will increase the profile of PCI standards for legal and risk teams," the expert added.
The EPC said it had tried to "include and reference existing standards and sets of requirements" where possible in its proposals. It said that it had taken account of the recommendations for the security of internet payments that the European Central Bank set out in January.
"Due in part to security concerns, many merchants have refrained from setting up e-commerce platforms and consumers may be reluctant to fully embrace the convenience of remote payments," the EPC said in a blog. "Considering the paramount importance of security in financial transactions, it is imperative to identify and analyse fraud methods targeting remote payments to prevent and combat fraud."
"The focus must be on minimising vulnerabilities resulting from mobile threats such as, for example, worms and malware, which are expected to escalate in the coming years especially through the use of mobile applications. The rapid proliferation of smart phones with the option of installing sophisticated payment applications has fuelled this development," it said.
"The [proposed security requirements] responds to the increasing use of remote card payments. The proposed requirements are designed to identify and protect against security threats and, consequently, help to establish an environment which allows both consumers and merchants to fully reap the benefits of exchanging goods and services online," it said.
The EPC's consultation on its proposals is open until 4 August.
