Electronic payments (and how they are secured)

Electronic payments (and how they are secured)

1. Preamble

“… for law, in its true notion, is not so much the limitation as the direction of a free and intelligent agent to his proper interest… where there is no law, there is no freedom” wrote John Lock in 1690, who was an English philosopher with great influence and a theoretical of the  Social Contract (:Second Treatise of Government, Ch. VI, sec. 57).

There could, of course, be a big discussion regarding the fulfillment of the purpose (or not) of the law – especially in totalitarian regimes. But sometimes setting rules can prove to be very important for maintaining and extending freedom. In these cases, it is actually, most of the times, widely accepted.

One of these cases is that of the rules securing transactions and transacting parties as well as maintaining and extending the freedom of both.

In this context, we need the existence (and application) of relevant rules, although we already have way too many rules as a country.

The European Union leads the way. The way to the right direction.


2. The new environment after Directive (ΕU) 2015/2366 (:PSD 2)

Since 14.9.2019, the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 is an applicable law. This regulation is supplementing the Directive (EU) 2015/2366 of the European Parliament and of the Council, (also referred to as “Second Directive with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication”-PSD2). The European Commission very recently published, in a concise manner, the new facts that come from the application of the PSD2 concerning electronic payments in Europe. It should be noted that these new facts and rules are covering electronic payments in total (among others bank transfers, payments with credit or debit cards).

More Precisely:

2.1. Regarding the Rights of the Consumers

Electronic payments taking place throughout the EU and also in Island, Norway and Lichtenstein are becoming cheaper, easier and safer.  It is now as easy and safe to make a payment across those countries, as it would be if the payment was made within the consumer’s country. Additional charges by a merchant when the consumer pays for a product or a service using a card issued in the EU, are no longer tolerated.

Everyone legally staying in Europe has the right to have a bank account with which they can make electronic payments (“Payment Account”): an account connected to a debit card, covering cash withdrawals, holding of funds, making and receiving payments throughout Europe.

2.2. Regarding the charges imposed on the consumer

The Payment Account is provided free of charge or at a reasonable price. Cross-border payments in euro should cost the same as the domestic ones. Cash withdrawals in euro outside of the beneficiary’s ATM network should also cost the same when made in the rest EU member countries as in the country of the beneficiary.

2.3. Regarding the safety of transactions

Since 14.9.2019, electronic payments have become more secure, thanks to the strong identification of the users, since a combination of verification levels will be required (i.e. not only a PIN, but also the beneficiary’s fingerprint). The consumer’s liability in case an unauthorized payment is made, is limited to 50€ (i.e. if their credit card has been stolen) – except for cases of gross negligence. The account’s beneficiary is not responsible for any unauthorized payment made after they have informed the card’s issuing bank (i.e. in case of a stolen card) as well as for payments conducted via the internet, if the payment service provider or the bank has not implemented a “strong customer authentication” (below under 4). In cases where the total amount of the bill is not known in advance (i.e. in car rentals or in covering accommodation expenses like staying at a hotel and using the services it provides) the business owner cannot charge at will, but can only charge up to an amount, which amount the card’s owner has approved in advance. In case a business has been authorized for “direct debit” of a bank account (i.e. paying electricity, mobile phone or gas bills), the beneficiary has eight weeks to question the amounts that may have been wrongfully charged. And moreover: this specific amount must be refunded to them in only ten working days.

2.4. Regarding the (reasonable) charges

The consumer has the right to know exactly the charges, if any, imposed on their electronic payments. In general, the merchants (either in physical or electronic stores) do not have the right to impose a price greater than the one published (some king of additional charge) when the payment is done by debit or credit card. Only in some cases (i.e. for specific cards) it is possible to have an additional charge, which should not be greater than the amount of the true expense the merchant will have to incur because the specific payment method was chosen.

2.5. Regarding new technologies

Thanks to the evolution of technology, it is possible to use new, innovative financial services offered by properly licensed banks and other electronic payment service providers – apart from the beneficiary’s bank. This means, for example that a beneficiary can monitor their financial information and data or make electronic payments without a credit or debit card. But, just like the banks, these new payment service providers must be properly licensed, monitored and, of course, handle the consumers’ data securely. The EU rules ensure that the electronic payments are conducted without problems. If any problem occurs, the consumer’s bank or other payment service provider must reply to the consumer’s complaint within fifteen (15) working days. If the beneficiary is not satisfied with the answer, they can file a complaint with the competent national authority.


3. Data and the necessity to guarantee electronic transactions

The competent authorities of the European Union have long now been concerned with the issue of the security of transactions and the protection of the transacting parties. That is why the Commission Delegated Regulation (EU) 2018/389 of 27 November 2017, was issued and, as mentioned above, applies since a few days ago (since 14.9.2019 -article 38 § 2). This regulation was issued, as it was also mentioned above, to supplement the Directive (EU) 2015/2366 of the European Parliament and of the Council, (also referred to as “Second Directive with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication”-PSD2), about the regulatory technical standards for the strong client identity verification and the common and secure open communication standards.

Some of the data that were taken into account for the issuing of these legislative texts (Directive and Regulation) are very interesting. Specifically:

The Directive (EU) 2015/2366 considers as a necessity to have “secure electronic payments” (characterizing them “…crucial in order to support the growth of the Union economy…”), to close regulatory gaps, to provide further legal clarity. The Directive also accepts what goes without saying, which is: “…Safe and secure payment services constitute a vital condition for a well-functioning payment services market. Users of payment services should therefore be adequately protected against such risks. Payment services are essential for the functioning of vital economic and social activities…”.

Some very interesting assumptions can be found in Regulation (EU) 2018/389, that mention the data, based on which the Regulation introduced the new provisions.

For example: “Payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud. The authentication procedure should include, in general, transaction monitoring mechanisms to detect attempts to use  a  payment service  user’s  personalised security credentials that  were  lost,  stolen, or  misappropriated and should also  ensure that  the  payment service  user  is  the  legitimate user  and  therefore  is  giving consent for  the transfer of  funds and  access to  its  account information through a  normal  use  of  the  personalised security credentials. Furthermore, it  is  necessary to specify the requirements of  the strong customer authentication…”.

As technology progresses, the methods of committing fraud progress with it. That is why the Regulation also accepts that: “As fraud methods are constantly changing, the requirements of strong customer authentication should allow for innovation in  the  technical solutions addressing the  emergence  of  new  threats to  the  security  of  electronic payments. To ensure that the requirements to be laid down are effectively implemented on a continuous basis, it is  also  appropriate  to  require that  the  security  measures for  the  application of  strong customer  authentication…

And also: “As electronic remote payment transactions are subject to a higher risk of fraud, it is necessary to introduce additional requirements for the strong customer authentication of such transactions, ensuring that the elements dynamically link the transaction to an amount and a payee specified by the payer when initiating the transaction”.

And finally: “In order to ensure the application of strong customer authentication, it is also necessary to require adequate security features for the elements of strong customer authentication categorised as ‘knowledge’ (something only the user knows), such as length or complexity, for the elements categorised as ‘possession’ (something only the user possesses), such as …something the user is… such as algorithm specifications, biometric sensor and template protection features…


4. The “strong customer authentication”

Based on all the above mentioned, it is obvious that the “strong customer authentication” is a very important step towards achieving the security of transactions referenced separately by the Directive and the Regulation mentioned above. This “strong authentication” is not necessary in all instances. In most cases, though, the need for strong authentication of the transacting parties seems to be of the outmost importance, and so is taking proper – increased security measures and having a secure connection for specific transactions with some specific beneficiaries (article 97, Directive (EU) 2015/2366).

Such cases are, among others, those where payment service providers (i.e. financial institutions, electronic currency institutions, postal check offices, payment institutions etc.): (a) gain access to the customer’s payment account online, (b) conduct the initial payment online, (c) remotely take any action that may involve the risk of committing fraud or other infringement.

In these specific cases, the payment service providers apply strong customer authentication which includes elements that dynamically and securely connect the transaction with a specific amount and a specific beneficiary.

In the rare case, though, where these providers overlook their obligation, the responsibility and the relevant liabilities burden them and not the (non-culpable) customers.


5. In Conclusion

Payment services, through the ages, have been proven necessary for the operation of vital financial and social activities: nobody can imagine any economy functioning without secure payment services. In the globalized economy of our times, secure electronic payments have been proven of vital importance (“onditio sine qua non”) in order to support the desired (in a national, European or global level) and in some cases absolutely necessary development.

The “strong customer authentication” is of course aiming to provide security and also facilitate transactions. Of course, to secure and facilitate those transacting as well. The relevant rules, coming from the European Union, fulfill, in this case, John Lock’s requirement, stated in the introduction, about the (desired) objective of the law.

Development is proven to be closely tied to the security of transactions, among others. And we can’t but benefit from development. All of us.

So, since 14.9.2019, we are entitled to be a bit happier. And, most importantly, to feel safer.


Stavros Koumentakis
Senior Partner

P.S. A brief version of this article has been published in MAKEDONIA Newspaper (September 22nd, 2019).


You May Also Like