Post on 15-Jul-2015
transcript
“A simpler, faster and safer identity experience“
1 iSignthis © 2014
ASX : ISX (listing March 2015)
EPSM March 2015 Presented by N J (John) Karantzis, B.E. LL.M. MEnt.
2 iSignthis © 2014
Who is iSignthis Ltd? We are an ASX listed identity company, providing global, remote, fully automated, KYC to assist with Anti Money Laundering / Counter Terrorism Funding compliance. We process payments in order to unlock identity, and, to verify ownership of payment instruments. We offer Identity applications for consumer and merchant on-boarding.
3 iSignthis © 2014
European Forum on the Security of Retail Payments (SecuRe Pay):
One Leg Out
AML/CTF KYC
An1 Fraud
Two Factor Authen1ca1on
Security
Technology Neutral
Online Payments
4 iSignthis © 2014
SecuRE Pay Members Na1onal Regulators & ECB agree SecuRE Pay
Scope 2011-‐ 13
ECB Publishes Guidelines Feb 2013
EC accepts Guidelines into PSD2 draN Mid 2013
EBA accepts Guidelines and regulates PSP’ s via Na1onal Regulators Dec
2014
ECB publishes Card Scheme Guidelines and regulates Feb 2015
5 iSignthis © 2014
Scope : Security of Internet Payments Cards / Virtual
Cards
eWallets & Card
onboarding
Credit Transfers (CT)
eMandates / direct debits
eMoney account transfers
Source : ECB : ECB_SEcuREPAY_20130305_COGEPS_Item_B5
August 2015
6 iSignthis © 2014
Excluded from Scope Excluded from the scope of SecuRE Pay
– other internet services provided by a PSP via its payment website
(e.g. e-brokerage, online contracts);
– payments where the instruction is given by post, telephone, voice mail or using SMS
– mobile payments other than browser-based payments;
– CTs where a third-party accesses the customer’s payment account;
– payment transactions made by an enterprise via dedicated networks;
– card payments using anonymous and non-rechargeable physical or virtual pre-paid cards
– clearing and settlement of payment transactions.
Source : ECB : Page 2, RECOMMENDATIONS FOR THE SECURITY OF INTERNET PAYMENTS FINAL VERSION AFTER PUBLIC CONSULTATION
Bafin …..Regulatory
Fragmentation?
7 iSignthis © 2014
Legal Basis – EBA’s role & PSP’s Payment Service Providers The EBA guidelines have been issued pursuant to Article 16 of Regulation (EU) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC (‘the EBA Regulation’).
In accordance with Article 16(3) of the EBA Regulation, national authorities and financial institutions must make every effort to comply with the guidelines.
8 iSignthis © 2014
Legal Basis – ECB’s Role & Liability Shift Basis ECB Recommendations, Scope, Page 1 : “Unless stated otherwise, the recommendations, key considerations and best practices specified in this report are applicable to all PSPs, as defined in the Payment Services Directive 2007/64/EC , providing internet payment services, as well as to governance authorities (GAs) of payment schemes (including card payment schemes, credit transfer schemes, direct debit schemes, etc.) Card Schemes : European Central Bank (2009), Harmonised oversight approach and oversight standards for payment instruments and FEB 2015 “Guide for the assessment of such schemes against the oversight standards” Liability Shift is regulated by the ECB, not the EBA. ECB Recommendations for the Security of Internet Payments KC 7.6 & Guide 3.3.2.4 “All payment schemes should promote the implementation of strong customer authentication by introducing a liability regime for the participating PSPs in and across all European markets. “ Weakest Link Principle (footnote 22): “The liability regime should provide that a PSP must refund other PSPs for any fraud resulting from weak customer authentication. “
9 iSignthis © 2014
What’s required – 3 key parts 1. General control and security environment
• Governance • Risk assessment • Incident monitoring and reporting • Protection of sensitive payment data • Risk control and mitigation • Traceability
2. Customer awareness, education, and communication
• Customer education • Provision of a secure channel for communication • Notifications, setting of limits • Customer access to information on the status of payment initiation and execution • ‘Good Time’ for access of information
3. Specific control and security measures for internet payments
• Initial customer identification, information • Strong customer authentication • Transaction monitoring
} PCI DSS
}
10 iSignthis © 2014
Target Application • Issuing Payment Service Providers (PSP) • Acquiring Payment Service Providers (PSP)
Expanded definition of acquiring PSP : per EBA Scope Item 10 and ECB Scope Page 2
“Payment integrators offering payment initiation services are considered either as acquirers of internet payment services (and thus as PSPs) or as external technical service providers of the relevant schemes or PSPs. In the latter case, the payment integrators should be contractually required to comply with the guidelines.
Payment integrators provide the payee (i.e. the e-merchant) with a standardised interface to payment initiation services provided by PSPs.“
Policy Objective “ One Leg Out” Authentication, per ECB 2014 policy document.
11 iSignthis © 2014
Acquiring Side Specific Obligations
Three categories of requirement : Issuer, Acquirer, Common – Acquirers now have own separate responsibilities outlined. Specific Acquiring Side obligations 3.4 & 4.8 Acquiring PSPs should contractually require e-merchants …….. If a PSP becomes aware that an e-merchant is not cooperating as required under the contract, it should take steps to enforce this contractual obligation, or terminate the contract. [e-Merchant - Comply or else!]
7.4 [cards] PSPs offering acquiring services ………..perform strong authentication of the cardholder for the card payment schemes in which the acquirer participates. 7.5 [cards] PSPs offering acquiring services should require their e-merchant to support solutions ……….. The use of alternative authentication measures could be considered for pre-identified categories of low-risk transactions, e.g. …….involving low-value payments, as referred to in the PSD. [Some room to move?] 10.2 Acquiring PSPs should have fraud detection and prevention systems in place to monitor e-merchant activities.
13 iSignthis © 2014
Solutions should conform
The ECB and EPC have been coordinating to ‘standardise’ on behalf of PSP’s
DIY may be possible, but carries risks, and may not be acceptable.
The EPC has developed the SEPA Cards Volume (SCV)……iSignthis has contributed as part of the Card Stakeholder Group
EPC public consultation > 10 March 2015 until 5 June 2015.
14 iSignthis © 2014
How can we help?
ONE low cost integration to cover 3DS and non 3DS cards
• AUTOMATED FAST / LOW FRICTION global on-boarding
• Support for ALL MAIN payment types and methods (incl telephone)
• LIABILITY SHIFT for SEPA issued card transactions
• MOBILE and TABLET friendly design
• Further FRAUD REDUCTION for all acquired transactions (global)
• Basis for both AML/CTF KYC and SecuRePay COMPLIANCE, incl “one leg out”
…without deterioration to your checkout conversion rate
15 iSignthis © 2014
Summary • Acquiring side PSPs must do something by August 2015
• Compliance as an acquiring PSP stands alone from issuer
• Card schemes are obligated to introduced liability shift for Strong Customer Authentication
• Policy driver includes “one leg out” transactions acquired from outside SEPA (to be introduced via PSD2)
• A single solution across multiple payment means is preferred