The ECB has proposed the creation of a raft of new mobile payments security standards (26-page / 361KB PDF) that payment service providers (PSPs) and 'mobile payment solution providers' (MPSPs) should have to adhere to. MPSPs are defined as the "governance authorities of payment instrument schemes developing and offering payment services".
Where third parties are "involved in the provision of the mobile payment service" it would be up to MPSPs to ensure that their services comply with the recommendations, the ECB said.
The ECB has also outlined some best practices which it has encouraged mobile network operators, device manufacturers and mobile device operating system providers, among others, to adopt.
The recommendations have been issued with a variety of different forms of mobile payment mechanisms in mind, including 'near-field communication' contactless payment technology and payments made through mobile apps. Payments made on a mobile device via a standard web browser are outside the scope of the recommendations.
The ECB's plans, if introduced, would require MPSPs and PSPs, such as banks and credit card companies, to implement "a procedure for prompt notification to the competent authorities (i.e. supervisory, oversight and data protection authorities) in the event of major payment security incidents with regard to the payment services provided, including data breaches".
The companies would also have to have a formal security policy in place for mobile payment services and engage in ongoing risk assessment to ensure the security of those services, the ECB said.
"The assessment of risks should address the need to protect and secure sensitive payment data," the ECB said. "MPSPs should undertake a review of key risk scenarios and existing security measures, after major incidents affecting their services, before and/or after a major change to the infrastructure or procedures including third party infrastructures (and major changes in mobile devices’ operating system releases) and when new threats are identified through risk monitoring activities."
Responsibility for risk monitoring, control and mitigation duties should be set out in the security policy, it said. MPSPs' policy should also account for risks presented from interactions with mobile network operators, device manufacturers and other third parties, it added.
Other proposals listed seek to ensure that there is an audit trail for mobile payments and that there are customer identification and authentication measures in place to mitigate against the risk of fraud and money laundering.
Earlier this year the ECB finalised new security standards for internet payments. It has now said that mobile payments security should at least match the standards that apply in that framework.
"The establishment of harmonised European high-level recommendations for the security of mobile payments is expected to contribute to mitigating payment fraud and enhancing consumer trust in mobile payments," the ECB said in its draft recommendations document.
The ECB's consultation on its proposals is open until 31 January 2014 and it is expected that the final recommendations will have to be adhered to from some time in 2017.
"The proposals would place a number of additional compliance obligations on banks and introduce extra costs to their business models, but additionally will affect any other companies looking to establish themselves as operators of mobile payment services in what is still a fertile market for startups and other new players," technology and payments law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said.
"Of particular interest are plans to require PSPs and MPSPs to ensure that their contracts with third parties such as mobile network operators, device manufacturers and app developers stipulate that those businesses will cooperate with them, and law enforcement bodies, when major security incidents arise. MPSPs would also face additional duties to ensure software security is kept up to date, whilst obligations on the type of information MPSPs have to share with customers before facilitating mobile payments would also be extended raising the prospect of 'information overload' for the consumer."
McFadyen said that it would be interesting to see how the ECB's recommendations tie-in with the review the UK's Financial Conduct Authority (FCA) is currently undertaking into mobile banking. He said the FCA would, under the ECB's plans, be obliged to oversee compliance with the new mobile payment security standards and therefore hopefully it will be consistent if it demands any action be taken by operators following its mobile banking review.
Editor's note 21/11/13: a comment from Angus McFadyen of Pinsent Masons was added to the story.
