Introducing cybersecurity by design and by default principles into digital products, the Cyber Resilience Act (CRA) which was recently approved by the EU Council (1) and has been published in the Official Journal of the European Union (2) marks a clear commitment from the European Union (EU) to protect millions of businesses and consumers in an increasingly connected world across all vertical segments.
The Regulation will enter into force on 10 December 2024, and its main obligations will apply from 11 December 2027.
As the trade body of the cards and mobile payments industry – a vertical sector that, for over the last three decades, has delivered the highest levels of protection for its payment instruments – the Smart Payment Association (SPA) welcomes all initiatives seeking to eliminate security flaws, address fraud and tackle new risks.
The introduction of the CRA has raised concerns among the payments industry stakeholders because of its potential impact on the Payment Smart Cards industry and its consumers (3). The SPA considers that while the CRA aims to enhance cybersecurity, its implementation may impose substantial costs without corresponding improvements in end-user security. The current payments industry security practices have proved successful in effectively minimizing fraud rates over the past three decades.
The SPA addresses the challenges of a fast-evolving payment ecosystem, promoting innovation, security, and interoperability of retail payment instruments. The SPA works closely with regulators and standardization bodies, offering leadership and expert guidance to help its members and their customers adopt new payment technologies. SPA members, all based in Europe, account for the shipment of more than 80% of Payment Cards worldwide, with 13 billion Payment Cards in circulation globally reported in 2023, including 1.5 billion in Europe (4). These cards are integral to the functioning of the finance and retail sectors in Europe.
This paper explore current security practices, regulatory compliance mechanisms, and the operational realities of Payment Smart Cards. They also assess regulatory alignment and applicability, aiming to substantiate the arguments presented.
PROBLEM STATEMENT
1. Regulatory Concerns and Industry Impact: The SPA is worried that new regulations, like the Cyber Resilience Act (CRA), will impose high costs on the EU Payment Smart Cards industry and consumers without improving end-user security. The industry has operated under strict regulations for over 25 years, maintaining low fraud rates through stringent security processes.
2. Risk of Duplication and Complexity: Current international payment industry standards, based on international standards (ISO), already ensure high levels of security at least equivalent to CRA requirements. These practices have successfully reduced fraud rates to 0.031% of the total value of card payments in the EU (5). Introducing new processes alongside the existing ones could lead to certification duplication, complicate planning, and potentially cause delays in the delivery of new Payment Cards. This redundancy may increase complexity, contradicting the goal of simplifying security measures for the end-users.
3. Technical Constraints of Smart Cards: Payment Smart Cards are passive unpowered devices with no direct or indirect internet connection, only communicating with payment readers using ISO 7816-4 commands to facilitate secure payment transactions only at the time of payment.
4. Security Evaluation Compliance: The security evaluation of Payment Card products already meets CRA requirements through rigorous conformity assessments, site audits, and security testing equivalent to Common Criteria (CC) EAL4+. Surveillance rules and mitigation plans ensure ongoing security and very low fraud rates.
5. Emerging Threats and Continuous Improvement: Security standards are continuously updated to address new threats, including those posed by quantum computers. EMVCo, along with European National Agencies and the EU Payments Industry, monitors emerging threats and updates security certifications and rules accordingly.
SUITABILITY OF CRA FOR PAYMENT SMART CARDS.
The current processes and specifications already address the key requirements outlined in the regulation, rendering additional processes unnecessary and inappropriate. In this context, the CRA should provide a mechanism to confirm compliance with the rules using the existing evidence. Compliance through Module H of the CRA could also be a viable solution.
pdf DOWNLOAD SPA PAPER (1.04 MB)
(1) Cyber resilience act: Council adopts new law on security requirements for digital products - Consilium
(2) Regulation - 2024/2847 - EN - EUR-Lex
(3) Cyber Resilience Act (CRA) - SPA's Response to the EC Consultation - January 2023
(4) Source: Worldwide EMV® Deployment Statistics | EMVCo
(5) ECB and EBA publish joint report on payment fraud