15 May 2014: Review by Sylvie Gibert, President of the Smart Payment Association
You join us at an exciting time – for our industry, and for the SPA.
First, as incoming president I would like to thank Andreas Strobel for his inspirational leadership and offer my warmest congratulations for the body of work created under his leadership, as the presidency of the SPA passes to Gemalto.
In the 12 months of Andreas’ premiership, the association launched a host of major industry initiatives to promote the development of better card instruments. And it has been rightly recognized as a major contributor to the standards and framework discussions so crucial to moving the payment industry forward.
You can see some of that work outlined in our review of Q1 2014 below.
As we move forward into 2014, the time has come to grow. The payments ecosystem is exploding, with demand for anywhere, any time payments on the rise. We expect to see a controlled increase in membership – a necessary expansion in the face of our ever more dynamic market.
An illustration of this rapid evolution is the reemergence of tokens as a payment method. It’s a concept, of course, that’s been around for years. But with greater standardization efforts being directed towards tokens from the likes of EMVCo and the US Clearing House, it’s clearly time to look again.
And we have. Our new Tokenization paper looks into the detail here.
Finally, I would like to draw your attention to our annual review of the smart payment market that was launched on 13th May 2014. Every year we look at the health of, and developments in, our industry based on actual shipments from SPA members. This years results point to a demand for contactless and the growth of NFC.
See the annualized 2013 figures here.
Q1 2014 Review
1. SPA and Eurosmart reelected in the EPC-CSG
The joint candidature presented by SPA and Eurosmart was confirmed during the first round reelection process of the Vendors Sector for the European Payments Council Cards Stakeholders Group (EPC-CSG). The EPC-CSG has initiated a new two-year cycle period, during which the CSG is expected to set up as an independent legal entity from the EPC and will be responsible for maintaining the Volume Book of Requirements whose version v7.0 was published last January. The SPA’s work will focus on identifying strategic issues and work priorities for the CSG including standards, migration timelines, technological innovation and business practices and ensuring these are properly addressed. The SPA will also work to extend collaboration between the card payment industry and the retailer sector. The SPA will continue to play an active leadership role in the CSG Vendors Sector; pushing for the participation of the card vendor industry in the future SEPA Card Certification Management Body. The upcoming activity of the EPC-CSG should be largely influenced by the new regulatory context set up by the new European Payments Service Directive (PSD2) and the constituency of the European Euro Retail Payments Board (ERPB).
The PSD2 assigns responsibility for the retail payment standardization to the European Banking Association (EBA). A liaison is to be created between the CSG, in charge of maintaining the Volume Book of Requirements, the technical core of the SEPA for cards, and the EBA.
The ERPB replaces the former Single Euro Payments Area (SEPA) Council but with a broader mandate. The ERPB will be convened by the ECB.
For efficiency reasons, the SPA suggests the CSG should be recognized by the EBA, the ECB and the European Commission as the single competent entity being responsible for card payment standards. It is the SPA’s view that, as a result of the recent work resulting in the consensual publication of the Volume Book of Requirements v7.0, the CSG has the necessary credibility to come along with the standardization work required to accomplish the SEPA for Cards project.
2. SPA promoting secure innovation for card payments
The SPA welcomes the pressure created by the ECB recommendations for Strong Authentication to be generalized in the SEPA area for both mobile and internet payments. It will continue efforts to harmonize technical standards for SEPA according to the ECB requirements, and will export these central concerns for a reinforced security with other international standards for online payments. Indeed, other than convenience, the best way to incentive users to adopt new payment technology is by creating trust.
SPA members’ technology helps to convert mobile devices into safe personal payment and authentication platforms. Mobile devices will ensure convenience, combined with the highest levels of data protection for access to mobile financial applications stored locally or remotely. The SPA is active in the technical harmonization work to align the security requirements set forth by the Volume with the ECB recommendations.
3. Streamlining card and mobile platform certifications
The SPA promotes dialogue and the exchange of information between all parties that have an interest in the efficient functioning of certification and type approval processes for new card payment products (for example, mobile payment platforms). This is important as mobile payment platforms (for example, the UICC) have to be certified according to a strict EMV certification framework. The SPA Security Certification is currently drafting a common process to manage the certification, recertification and end-of-life management of mobile payment platforms. The intention is to submit proposals to both EMVCo and the GSMA in order to facilitate an agreement on a common process, guaranteeing a high level of trust in the certified product. This process will also take into consideration the operational needs and business practices of the mobile network operator.
The SPA’s views and initiatives were presented to the European Central Bank Directorate General Payments and Market Infrastructure in a workshop held on April 7th. Next steps will include the formal submission of the SPA proposal to the EMVCo Security Evaluation WG.
4. SPA launches a new e-Commerce WG
The number of e-Commerce transactions is growing across the retail payment sector. Not surprisingly, the ECB’s published data for 2013 fraud also shows a significant increase in internet payments fraud. This level of fraud is of major concern to financial authorities, many of which have published documents setting forth security requirements to be implemented in new online payments solutions.
Aware of the lack on an optimized standard solution for online payments, the SPA is currently leading the EPC-CSG Innovative Payments Expert Team. This expert team has been mandated by the CSG to draft the SEPA Volume functional and security requirements for e-commerce and m-commerce.
The need to closely follow-up this very dynamic market has pushed the SPA to create a new specific Working Group on e-Commerce. A kick-off meeting took place in April and several proposals to improve the user experience of online payments leveraging the smart card technology were discussed. The new e-Commerce WG will be actively contributing to the on-going standardization work on e-commerce in the SEPA area as well as in other relevant market initiatives such as EMVCo Tokenization and PCI-DSS.
5. SPA increases presence in US retail payment market
The adoption of the EMVCo Chip & PIN technology in the US, it’s implications for mobile contactless payments, and the recent initiatives by the US Federal Reserve to improve the US retail payment market requires the SPA actively participates in this market.
For some time now, the SPA has been involved; with SPA members regularly meeting the Federal Reserve Bank to improve the security of NFC payments. The SPA’s objective is to work alongside US market players and regulators to examine the challenges and benefits of secure real-time smart card payments across the market; on payment service providers, consumers, as well as analyzing the advantages real-time technology can bring to government and businesses.
The SPA is likely to move forward by signing a collaboration agreement with a US association such as the Smart Card Alliance, with which we largely share a common technical approach.
6. The impact of regulation on market structures
The new European Payment Services Directive PSD2 lays down business rules and technical requirements that will apply to all categories of card-based payment transactions. Eurosmart and the SPA have expressed their support to the PSD2 objectives to provide a legal support for mobile and internet payments, regulating those PSPs acting as financial intermediaries. We consider the separation of the payment card schemes and the processing entities as a major significant provision impacting the card payment processing market. However, Eurosmart and the SPA also expressed concern that, by capping interchange fees, business models for card payment schemes may be jeopardized, limiting investments in safer and more convenient payment infrastructures. The reduced profitability for card issuance might also prompt payment alternatives which are insufficiently proven and which therefore unduly putt users at risk.
Aware of the major impact of upcoming regulation on retail payment market structure, the SPA will continue to submit its proposals and views at public consultations on draft regulations for both SEPA and other world regions.
7. News from the standardization front
The SPA continues its highly active driving role for the publication of standards and specifications for the secure and interoperable deployment of card, mobile and internet payment products and solutions. The SPA directly represents its members in the EPC-CSG and EMVCo. On the other hand, SPA members collaborate in ISO financial standards.
In the EPC-CSG, the roadmap for the publication of the Volume Books 2, 4 and 6 functional, security and profiles requirements respectively has been approved. The public consultation phase is scheduled for June-July, with a resolution of comments phase that continues until October. In the new version, due to be released at the end of the year, both card present and card not present requirements will be integrated. These documents will, in any case, need to be reviewed in the light of the final publication of the ECB recommendations for mobile payments. The ECB has announced that a definitive version of its Security Requirements for mobile payments is to be released by September.
The EMVCo Next Generation Task Force has released a new version of the Kernel Terminal Specification. This document is to be discussed. EMVCo is progressing well to specify the secure channel to be established between the next generation cards and POIs. The SPA will be contributing with its expertise in order to facilitate the choice of well proven cryptographic primitives to create the secure channel.
It is notable that ISO 12812, the first international standard for mobile payments and mobile banking, is in the second Committee Draft ballot with a publication expected for the end of 2014.
8. Upcoming position and white papers
The SPA will be releasing a series of position papers and white papers that provide guidance to the payments industry on how to implement new payment methods, including tokenization, mobile wallets and payment systems using virtual currencies.