Security Issues and the Breakdown of Payment Systems - Free Essay Example

Critically Discuss Security Issues and the Breakdown of the Payment System. Introduction Regulation 2560/2001/EU applies to cross-border payments in euros within the EU and established with effect from 1st July 2003 the principle of equal charges for a cross-border transaction and a strictly domestic transaction. The Consultative Document à ¢Ã¢â€š ¬Ã…“New Legal Framework for Payments in the Internal Marketà ¢Ã¢â€š ¬Ã‚ [1] acknowledges that the Regulation à ¢Ã¢â€š ¬Ã…“has contributed to a considerable reduction in the price for [such] paymentsà ¢Ã¢â€š ¬Ã‚ ¦and has provided an incentive for the payment industry to modernise their EU-wide payment infrastructuresà ¢Ã¢â€š ¬Ã‚ . However, it is acknowledged that technical and legal barriers still prevent EU citizens, companies and payment service providers from reaping the full benefits of a Single Payment Area for non-cash payments. The Executive Summary (p.2) concludes: à ¢Ã¢â€š ¬Ã…“The Internal Market for goods and services cannot function properly without cheap, efficient and secure [emphasis supplied] payment services.à ¢Ã¢â€š ¬Ã‚  While the Regulation addresses the first of these three criteria, considerable progress is still required in respect of the efficiency of services (and, in particular, the introduction of appropriate protection for parties in the event of breakdown) and security of networks in the face of increasing external attack. Annex 20 of the Consultative Document raises issues in respect of à ¢Ã¢â€š ¬Ã‹Å"Security of Networksà ¢Ã¢â€š ¬Ã¢â€ž ¢ and Annex 21 similarly invites submissions in respect of à ¢Ã¢â€š ¬Ã‹Å"Breakdown of a Payment Network.à ¢Ã¢â€š ¬Ã¢â€ž ¢ It is proposed to address each of these subjects in turn. Security of the Networks Annex 20 describes attacks upon the databases of, inter alia, the banking industry and e-commerce merchants which have led to conce rns as to payment fraud and have resulted in the recall and reissue of many thousands of payment cards. The full scale of the problem is unknown since, due to the potential for the undermining of confidence in such institutions, it has been estimated that as many as 80% of such incidents are not reported[2]. A study undertaken for the European Commission into public perceptions of the security of electronic payments[3] identified the fact that from a security perspective, electronic banking systems including on-line bank transfers are the preferred methods of payment. This is due to the use of a system of 2-factor identification (e.g. password and selected digits from a PIN number). By contrast, the use of à ¢Ã¢â€š ¬Ã…“card not presentà ¢Ã¢â€š ¬Ã‚  payment over the internet poses risks because authentication depends upon the use of credit card numbers and expiry dates (which information can be the subject of misappropriation or the increasing crime of à ¢Ã¢â€š ¬Ã…“identity t heftà ¢Ã¢â€š ¬Ã‚ . Regrettably, this type of transaction remains the most prevalent for cross-border payments. New, more secure solutions, have yet to achieve a significant degree of market penetration. In particular, the use of what is known as SSL à ¢Ã¢â€š ¬Ã…“Secure Sockets Layerà ¢Ã¢â€š ¬Ã‚ , a generic method to cryptographically secure communication on the Internet taking place between a client and a server is as yet weak or non-existent in terms of general commercial application. At the Tampere European Council, the member states reaffirmed their commitment to reinforcing the fight against organised crime. This led to the issue of the Communication from the Commission à ¢Ã¢â€š ¬Ã…“Preventing fraud and counterfeiting of non-cash means of paymentà ¢Ã¢â€š ¬Ã‚ [4] and its accompanying Fraud Prevention Action Plan. It was acknowledged that the payment industry has developed and implemented new technical fraud prevention measures (such as à ¢Ã¢â€š ¬Ã…“chip and PI Nà ¢Ã¢â€š ¬Ã‚  technology) but if cross-border payments are to be adequately protected, further, more general measures are required. The first paragraph of the Fraud Prevention Action Plan states, inter alia, that the longer term objective must be the introduction of a structured and co-ordinated security approach by all interested parties. It is essential to promote standardised security requirements which can be independently and objectively evaluated. An example of this is ISO Standard 15408 which allows the definition of security requirements for information technology systems including payment products. Criminal sanctions are also necessary. At the Community level, proposals have been made for the common definition of certain à ¢Ã¢â€š ¬Ã…“cyber crimesà ¢Ã¢â€š ¬Ã‚  carrying common penalties[5]. While such reform is to be welcomed insofar as it would provide a measure of uniformity and ease of enforcement within the EU, it cannot address the risks posed by the global na ture of modern information technology which renders European merchants and institutions vulnerable to international attack from beyond the borders of the EU. Annex 20 argues that the harmonisation of penal legislation against cyber crime both in the EU and beyond and co-operation with other stakeholders may lead to the conclusion that there is no need for further legal provisions on the security of the infrastructure and the payment area and further initiatives may be left to self-regulation. This approach is complacent. While acknowledging the difficulty of state regulation of crimes committed outside its jurisdiction, such a challenge militates in favour of internal regulation to ensure compliance with the highest possible standards of electronic security. The increase in e-banking and e-commerce generates an increasingly urgent imperative to protect such systems if confidence is to be maintained and the advantages of such transaction methods to the development of the Internal Market are to be preserved. Article 17 of Directive 95/46/EC already provides for the controller of the data to take appropriate measures to protect against unauthorised access. An increasingly obvious deficiency occurs where the processing of such data is à ¢Ã¢â€š ¬Ã…“outsourcedà ¢Ã¢â€š ¬Ã‚  to another party. While the controller in such circumstances is under a duty to choose a processor who is able to supply the necessary guarantees as to security of data, there is no reason why indeed it might be regarded as essential that the processor is also made the direct subject of primary legislation in order to ensure the integrity of his guarantees and to provide appropriate remedies (beyond the merely contractual rights of the controller) in the event of default. Breakdown of a Payment Network By contrast with Annex 20, Annex 21 raises the issue of liability in the event of breakdown of a payment network but fails to provide even the most meagre of proposed strategies for dealing with the issue or even any meaningful suggested topics for discussion and response. The risk of system breakdown is particularly acute in the case of Payment Services Providers since they have à ¢Ã¢â€š ¬Ã…“network externalitiesà ¢Ã¢â€š ¬Ã‚  which means that they are exposed to risks not only as a result of the compromise of the integrity of their own internal systems but also the systems of those other institutions with which they are interdependent. In addition, the trend toward à ¢Ã¢â€š ¬Ã…“outsourcingà ¢Ã¢â€š ¬Ã‚  discussed above increases their vulnerability to breakdowns over which they have no direct control. Such system failures can have significant impact in the marketplace upon a customer who may incur financial penalties (e.g. for late payment) or suffer loss of commercial opportunity or other loss as a result of not being able to action an electronic payment. The merchant also is at risk since, in the event of such failure, potential profit may be lost i f otherwise willing customers are not able to make payment by other than electronic means. The obvious question is, upon whom should such losses ultimately fall? Not surprisingly, the banks take a particular view. Barclays[6] argue that to extend liability to include unlimited consequential losses due to system breakdown will cause many providers to reconsider their exposure to the payments market. They argue that they have invested in contingency arrangements so that payments are not delayed even if there are failures, that customers have a wide range of payment options available to them and that breakdown is rare. Finally, there is the familiar plea that the industry is subject to a high degree of self-regulation and that the consequences of system failure are adequately addressed by the bankà ¢Ã¢â€š ¬Ã¢â€ž ¢s contract with the customer. Significantly, it is not asserted that compensation arrangements are adequate under the present regime, rather that the customer contract is à ¢Ã¢â€š ¬Ã…“the best way forwardà ¢Ã¢â€š ¬Ã‚  provided this is à ¢Ã¢â€š ¬Ã…“transparent to the customerà ¢Ã¢â€š ¬Ã‚ . To seek to limit liability in this way is offensive to basic legal principles. By direct or indirect means, the customer either in the form of a consumer or in the person of a merchant supplying goods or services and wishing for reasons of commercial competitiveness to offer the option of payment by electronic means, is paying for a service which he has a consequent right to expect will be operated efficiently and without causing loss to him through its failure. Where such failure occurs, the consequences are clearly and reasonably foreseeable as they have been by the Commission in the Consultation Document. Just as it was appropriate for the Commission to regulate the charge for electronic cross-border transfers by Regulation 2560/2001, it is appropriate for there to be similar intervention to ensure confidence in systems and the further increase in th eir use for the benefit of the Single Market and to provide a transparent system of rights and remedies in the event of breakdown of systems. Conclusion Regulation 2560/2001/EC provided an important boost to the use of electronic payment systems for cross-border transfers by removing the disparities previously existing in respect of charges for such services. Recognising this benefit to the operation of the Single Market, the Consultative Document seeks to explore ways of increasing and enhancing this benefit by addressing a range of technical and legal restrictions which continue to impinge upon the efficient and secure operation of such means of payment. If this is to be achieved, urgent action is required to address the increasing threat to the security of and thus confidence in the use of such services. Payment Services Providers must shoulder the leading responsibility for guaranteeing the security of such systems and where this continues to be deemed inadequate, must b e required by Regulation to do so. This applies also in the distinct but related field of system breakdown. Self-serving arguments about the current adequacy of systems and the familiar special pleading for self-regulation should not be allowed to stand in the way of continued improvements in e-payment and e-commerce with the manifest economic benefits that this will confer upon the Community. Again, this is too important an objective to be left to chance or half-hearted and self-interested attempts at self-regulation. The model of Regulation 2560/2001 and its demonstrable success may be relied upon in both areas to bring about continued improvements in the framework for payments in the Internal Market. Bibliography APACS, The Regulation on Cross Border Payments in Euro, Cards Compliance Guidelines for the UK Banking Industry, (July 2003) Barclays plc Response: Commission Communication A New Legal Framework for Payments in the Internal Market (9 February 2004) Electroni c Payments key conclusions of study undertaken for European Commission on public perceptions, (September 2003), www.europa.eu.int/comm.internal-market/payments/docs/fraud/study-security New Legal Framework for Payments in the Internal Market, COM (2003) 718 final Irish Payment Services Organisation, IBAN Update, (Oct 2004), www.ipso.ie Preventing fraud and counterfeiting of non-cash means of payment, COM (2001) 0011 final Proposal for a Council Framework Decision on attacks against information systems, COM (2002) 173 final Regulation 2560/2001/EU 1 Footnotes [1] COM (2003) 718 final, p.2 [2] IDC and Gartner (November 2002) [3] Electronic Payments key conclusions of study undertaken for European Commission on public perceptions, (September 2003), www.europa.eu.int/comm.internal-market/payments/docs/fraud/study-security [4] COM (2001) 0011 final [5] Proposal for a Council Framework Decision on attacks against information systems, COM (2002) 173 final [6] Barclays plc Response: Commission Communication A New Legal Framework for Payments in the Internal Market (9 February 2004)