{"id":37800,"date":"2019-09-22T08:06:19","date_gmt":"2019-09-22T05:06:19","guid":{"rendered":"https:\/\/koumentakislaw.gr\/articles\/hlektronikes-plhromes-kai-asfaleia\/"},"modified":"2019-10-20T11:37:53","modified_gmt":"2019-10-20T08:37:53","slug":"electronic-payments-and-security","status":"publish","type":"post","link":"https:\/\/koumentakislaw.gr\/en\/articles\/electronic-payments-and-security\/","title":{"rendered":"Electronic payments (and how they are secured)"},"content":{"rendered":"

1. Preamble<\/strong><\/h3>\n

\u201c\u2026 for law, in its true notion, is not so much the limitation as the direction of a free and intelligent agent to his proper interest\u2026 where there is no law, there is no freedom\u201d wrote John Lock in 1690, who was an English philosopher with great influence and a theoretical of the\u00a0 Social Contract (:Second Treatise of Government, Ch. VI, <\/em>sec. 57).<\/em><\/p>\n

There could, of course, be a big discussion regarding the fulfillment of the purpose (or not) of the law \u2013 especially in totalitarian regimes. But sometimes setting rules can prove to be very important for maintaining and extending freedom. In these cases, it is actually, most of the times, widely accepted.<\/p>\n

One of these cases is that of the rules securing transactions and transacting parties as well as maintaining and extending the freedom of both.<\/p>\n

In this context, we need the existence (and application) of relevant rules, although we already have way too many rules as a country.<\/p>\n

The European Union leads the way. The way to the right direction.<\/p>\n

 <\/p>\n

2. The new environment after Directive (<\/strong>\u0395<\/strong>U) 2015\/2366 (:PSD 2)<\/strong><\/h3>\n

Since 14.9.2019, the Commission Delegated Regulation (EU) 2018\/389 of 27 November 2017<\/strong><\/a> is an applicable law. This regulation is supplementing the Directive (EU) 2015\/2366 of the European Parliament and of the Council<\/strong><\/a>, <\/strong>(also referred to as \u201cSecond Directive with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication\u201d-PSD2). The European Commission very recently published, in a concise manner, the new facts<\/strong><\/a> that come from the application of the PSD2 concerning electronic payments in Europe. It should be noted that these new facts and rules are covering electronic payments in total (among others bank transfers, payments with credit or debit cards).<\/p>\n

More Precisely:<\/p>\n

2.1. Regarding the Rights of the Consumers <\/strong><\/h4>\n

Electronic payments taking place throughout the EU and also in Island, Norway and Lichtenstein are becoming cheaper, easier and safer. \u00a0It is now as easy and safe to make a payment across those countries, as it would be if the payment was made within the consumer\u2019s country. Additional charges by a merchant when the consumer pays for a product or a service using a card issued in the EU, are no longer tolerated.<\/p>\n

Everyone legally staying in Europe has the right to have a bank account with which they can make electronic payments (\u201cPayment Account\u201d): an account connected to a debit card, covering cash withdrawals, holding of funds, making and receiving payments throughout Europe.<\/p>\n

2.2. Regarding the charges imposed on the consumer <\/strong><\/h4>\n

The Payment Account is provided free of charge or at a reasonable price. Cross-border payments in euro should cost the same as the domestic ones. Cash withdrawals in euro outside of the beneficiary\u2019s ATM network should also cost the same when made in the rest EU member countries as in the country of the beneficiary.<\/p>\n

2.3. Regarding the safety of transactions<\/strong><\/h4>\n

Since 14.9.2019, electronic payments have become more secure, thanks to the strong identification of the users, since a combination of verification levels will be required (i.e. not only a PIN, but also the beneficiary\u2019s fingerprint). The consumer\u2019s liability in case an unauthorized payment is made, is limited to 50\u20ac (i.e. if their credit card has been stolen) – except for cases of gross negligence. The account\u2019s beneficiary is not responsible for any unauthorized payment made after they have informed the card\u2019s issuing bank (i.e. in case of a stolen card) as well as for payments conducted via the internet, if the payment service provider or the bank has not implemented a \u201cstrong customer authentication\u201d (below under 4). In cases where the total amount of the bill is not known in advance (i.e. in car rentals or in covering accommodation expenses like staying at a hotel and using the services it provides) the business owner cannot charge at will, but can only charge up to an amount, which amount the card\u2019s owner has approved in advance. In case a business has been authorized for \u201cdirect debit\u201d of a bank account (i.e. paying electricity, mobile phone or gas bills), the beneficiary has eight weeks to question the amounts that may have been wrongfully charged. And moreover: this specific amount must be refunded to them in only ten working days.<\/p>\n

2.4. Regarding the (reasonable) charges <\/strong><\/h4>\n

The consumer has the right to know exactly the charges, if any, imposed on their electronic payments. In general, the merchants (either in physical or electronic stores) do not have the right to impose a price greater than the one published (some king of additional charge) when the payment is done by debit or credit card. Only in some cases (i.e. for specific cards) it is possible to have an additional charge, which should not be greater than the amount of the true expense the merchant will have to incur because the specific payment method was chosen.<\/p>\n

2.5. Regarding new technologies <\/strong><\/h4>\n

Thanks to the evolution of technology, it is possible to use new, innovative financial services offered by properly licensed banks and other electronic payment service providers \u2013 apart from the beneficiary\u2019s bank. This means, for example that a beneficiary can monitor their financial information and data or make electronic payments without a credit or debit card. But, just like the banks, these new payment service providers must be properly licensed, monitored and, of course, handle the consumers\u2019 data securely. The EU rules ensure that the electronic payments are conducted without problems. If any problem occurs, the consumer\u2019s bank or other payment service provider must reply to the consumer\u2019s complaint within fifteen (15) working days. If the beneficiary is not satisfied with the answer, they can file a complaint with the competent national authority.<\/p>\n

 <\/p>\n

3. Data and the necessity to guarantee electronic transactions <\/strong><\/h3>\n

The competent authorities of the European Union have long now been concerned with the issue of the security of transactions and the protection of the transacting parties. That is why the Commission Delegated Regulation (EU) 2018\/389 of 27 November 2017<\/strong><\/a>, <\/strong>was issued and, as mentioned above, applies since a few days ago (since 14.9.2019 -article 38 \u00a7 2). This regulation was issued, as it was also mentioned above, to supplement the Directive (EU) 2015\/2366 of the European Parliament and of the Council<\/a>, (also referred to as \u201cSecond Directive with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication\u201d-PSD2), about the regulatory technical standards for the strong client identity verification and the common and secure open communication standards.<\/p>\n

Some of the data that were taken into account for the issuing of these legislative texts (Directive and Regulation) are very interesting. Specifically:<\/p>\n

The Directive (EU) 2015\/2366 considers as a necessity to have \u201csecure electronic payments\u201d (characterizing them \u201c\u2026crucial in order to support the growth of the Union economy\u2026<\/em>\u201d), to close regulatory gaps, to provide further legal clarity. The Directive also accepts what goes without saying, which is: \u201c\u2026Safe and secure payment services constitute a vital condition for a well-functioning payment services market. Users of payment services should therefore be adequately protected against such risks. Payment services are essential for the functioning of vital economic and social activities\u2026<\/em>\u201d.<\/p>\n

Some very interesting assumptions can be found in Regulation (EU) 2018\/389, that mention the data, based on which the Regulation introduced the new provisions.<\/p>\n

For example: \u201cPayment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud. The authentication procedure should include, in general, transaction monitoring mechanisms to detect attempts to use\u00a0 a\u00a0 payment service\u00a0 user’s\u00a0 personalised security credentials that\u00a0 were\u00a0 lost,\u00a0 stolen, or\u00a0 misappropriated and should also\u00a0 ensure that\u00a0 the\u00a0 payment service\u00a0 user\u00a0 is\u00a0 the\u00a0 legitimate user\u00a0 and\u00a0 therefore\u00a0 is\u00a0 giving consent for\u00a0 the transfer of\u00a0 funds and\u00a0 access to\u00a0 its\u00a0 account information through a\u00a0 normal\u00a0 use\u00a0 of\u00a0 the\u00a0 personalised security credentials. Furthermore, it\u00a0 is\u00a0 necessary to specify the requirements of\u00a0 the strong customer authentication\u2026<\/em>\u201d.<\/p>\n

As technology progresses, the methods of committing fraud progress with it. That is why the Regulation also accepts that: \u201cAs fraud methods are constantly changing, the requirements of strong customer authentication should allow for innovation in\u00a0 the\u00a0 technical solutions addressing the\u00a0 emergence\u00a0 of\u00a0 new\u00a0 threats to\u00a0 the\u00a0 security\u00a0 of\u00a0 electronic payments. To ensure that the requirements to be laid down are effectively implemented on a continuous basis, it is\u00a0 also\u00a0 appropriate\u00a0 to\u00a0 require that\u00a0 the\u00a0 security\u00a0 measures for\u00a0 the\u00a0 application of\u00a0 strong customer\u00a0 authentication\u2026<\/em>\u201d<\/p>\n

And also: \u201cAs electronic remote payment transactions are subject to a higher risk of fraud, it is necessary to introduce additional requirements for the strong customer authentication of such transactions, ensuring that the elements dynamically link the transaction to an amount and a payee specified by the payer when initiating the transaction<\/em>\u201d.<\/p>\n

And finally: \u201cIn order to ensure the application of strong customer authentication, it is also necessary to require adequate security features for the elements of strong customer authentication categorised as \u2018knowledge\u2019 (something only the user knows), such as length or complexity, for the elements categorised as \u2018possession\u2019 (something only the user possesses), such as \u2026something the user is\u2026 such as algorithm specifications, biometric sensor and template protection features\u2026<\/em>\u201d<\/p>\n

 <\/p>\n

4. The \u201cstrong customer authentication\u201d<\/strong><\/h3>\n

Based on all the above mentioned, it is obvious that the \u201cstrong customer authentication\u201d is a very important step towards achieving the security of transactions referenced separately by the Directive and the Regulation mentioned above. This \u201cstrong authentication\u201d is not necessary in all instances. In most cases, though, the need for strong authentication of the transacting parties seems to be of the outmost importance, and so is taking proper \u2013 increased security measures and having a secure connection for specific transactions with some specific beneficiaries (article 97, Directive (EU) 2015\/2366).<\/p>\n

Such cases are, among others, those where payment service providers (i.e. financial institutions, electronic currency institutions, postal check offices, payment institutions etc.): (a) gain access to the customer\u2019s payment account online, (b) conduct the initial payment online, (c) remotely take any action that may involve the risk of committing fraud or other infringement.<\/p>\n

In these specific cases, the payment service providers apply strong customer authentication which includes elements that dynamically and securely connect the transaction with a specific amount and a specific beneficiary.<\/p>\n

In the rare case, though, where these providers overlook their obligation, the responsibility and the relevant liabilities burden them and not the (non-culpable) customers.<\/p>\n

 <\/p>\n

5. In Conclusion <\/strong><\/h3>\n

Payment services, through the ages, have been proven necessary for the operation of vital financial and social activities: nobody can imagine any economy functioning without secure payment services. In the globalized economy of our times, secure electronic payments have been proven of vital importance (\u201conditio sine qua non\u201d) in order to support the desired (in a national, European or global level) and in some cases absolutely necessary development.<\/p>\n

The \u201cstrong customer authentication\u201d is of course aiming to provide security and also facilitate transactions. Of course, to secure and facilitate those transacting as well. The relevant rules, coming from the European Union, fulfill, in this case, John Lock\u2019s requirement, stated in the introduction, about the (desired) objective of the law.<\/p>\n

Development is proven to be closely tied to the security of transactions, among others. And we can\u2019t but benefit from development. All of us.<\/p>\n

So, since 14.9.2019, we are entitled to be a bit happier. And, most importantly, to feel safer.<\/p>\n

\"stavros-koumentakis\"<\/p>\n

Stavros Koumentakis<\/a>
\nSenior Partner<\/em><\/h4>\n

P.S. A brief version of this article has been published in MAKEDONIA Newspaper (September 22nd, 2019).<\/p>\n","protected":false},"excerpt":{"rendered":"

1. Preamble \u201c\u2026 for law, in its true notion, is not so much the limitation as the direction of a free and intelligent agent to his proper interest\u2026 where there is no law, there is no freedom\u201d wrote John Lock in 1690, who was an English philosopher with great influence and a theoretical of the\u00a0…<\/p>\n","protected":false},"author":3,"featured_media":37970,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[206],"tags":[157,426],"class_list":["post-37800","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles","tag---en","tag-426"],"_links":{"self":[{"href":"https:\/\/koumentakislaw.gr\/en\/wp-json\/wp\/v2\/posts\/37800","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/koumentakislaw.gr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/koumentakislaw.gr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/koumentakislaw.gr\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/koumentakislaw.gr\/en\/wp-json\/wp\/v2\/comments?post=37800"}],"version-history":[{"count":4,"href":"https:\/\/koumentakislaw.gr\/en\/wp-json\/wp\/v2\/posts\/37800\/revisions"}],"predecessor-version":[{"id":37965,"href":"https:\/\/koumentakislaw.gr\/en\/wp-json\/wp\/v2\/posts\/37800\/revisions\/37965"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/koumentakislaw.gr\/en\/wp-json\/wp\/v2\/media\/37970"}],"wp:attachment":[{"href":"https:\/\/koumentakislaw.gr\/en\/wp-json\/wp\/v2\/media?parent=37800"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/koumentakislaw.gr\/en\/wp-json\/wp\/v2\/categories?post=37800"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/koumentakislaw.gr\/en\/wp-json\/wp\/v2\/tags?post=37800"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}