Electronic Money Association

Crescent House Erik Nooteboom 5 The Crescent Head of Unit Financial Stability, and Capital Markets Union Surbiton Retail Financial Services and Payments Surrey European Commission KT6 4BN B-1049 Brussels United Kingdom Belgium Telephone: +44 (0) 20 8399 2066 Facsimile: +44 (0) 870 762 5063 www.e-ma.org

29 May, 2015

Dear Erik, The EMA welcomes the opportunity to respond to the European Commission request for input on the short inventory of cybersecurity concerns and initiatives.

Q1: How would you rate cyber-security among the various risks in the payments industry? Members of the Electronic Money Association (EMA) see cybercrime as a significant but manageable threat to the payment services they provide. They rate cybercrime high on their risk lists. As technology develops, the nature of the threat posed by fraudsters and attackers continues to evolve, and is becoming both more sophisticated and more targeted. In direct response to these trends, EMA members report they have developed new controls for identifying users and devices, as well as data-driven risk based fraud models as part of efforts to maintain fraud at a low level. The technologies that have aided criminals have also given members new tools to protect their customers and combat fraud.

Q2: What are you particularly concerned about? The technical threats that members are concerned about include: distributed denial of service attacks, hacking, and more recently the growth of ransomeware against consumers. In particular, scalable attacks against businesses and vulnerabilities targeting customers (malware, phishing, social engineering attacks) are a concern.

Page 1 of 4

However, EMA members expressed more concern about the regulatory framework within which they operate to reduce the impact of cybercrime. There are two aspects of the current/emerging EEA regulatory landscape that cause the most difficulties: that it is often overly prescriptive, and that the supervisory framework that enforces it is fragmented and inconsistent.

1. Regulations often assume that imposing a particular methodology or set of controls provides the ideal solution. Regulations should rather focus on outcomes, not prescribe solutions. Businesses understand the risks they face and should be allowed the flexibility to develop their own treatment to achieve outcomes described in regulations. Where regulations are too prescriptive in proposing a one-size-fits-all solution, the results could be counterintuitive (e.g. greater customer friction by forcing password refreshes and complexity, resulting in a negative impact on service security due to users choosing “easy” passwords and an onrush of ‘forgotten password’ requests). Moreover, the resulting short term gains in security could be offset by stifling longer term service innovation.

2. The fragmentation of efforts to improve cybersecurity across different EU (and international) bodies risks making it too complicated for service providers to develop effective cybersecurity strategies. Having to address inconsistencies in the regulatory framework, where competent authorities at a national level impose unique reporting or other requirements, results in a significant overhead for little gain. For example, Data Protection regulation is applied differently across the EU, making it difficult to implement a consistent strategy for the sharing of data with law enforcement and other businesses to prevent fraud. In particular, members were concerned where requirements were imposed on companies by states they were not established in.

EMA members see user education as vital in helping users conduct their payment activity safely; poorly educated or careless user behaviour creates large opportunities for cybercrime. EMA members are also sometimes restricted from effectively managing cyber security risk because of the outdated legacy systems operated by their retailer, merchant or payment system partners. A key issue therefore is the willingness of these parties to take ownership of cybersecurity risk instead of dismissing it as solely a technological issue.

Q3: What initiatives are in place to address risks and concerns? What works? Authentication: • affordable, effective and convenient ways to authenticate customers are constantly under development; these will often make the greatest use of available medium and data, whether on mobile, web or at the point-of-sale • complete customer authentication with a higher degree of certainty is used only where it is needed; • firms offer customers greater security if they want it;

Page 2 of 4

Knowledge sharing within the industry (the e-money sector in the case of the EMA): The EMA maintains typologies of known frauds and attacks, which enables members to share experiences of what works and to quickly identify emerging threats and potential controls.

Ongoing monitoring of the threats from cybercriminals and proactive efforts to identify and react to them, as required for PCI-compliant firms.

Q4: What would you expect from the Commission and the authorities? We need a clear and robust approach to combatting cybercrime, consistent across all EU countries. Members face difficulties at all stages of countering crime, in: • engaging with law enforcement where the fraudster and victim are in different jurisdictions. • restricting the flow of fraudulent funds that are in flight between different PSPs • securing prosecutions where cyber-criminals and fraudsters are in different jurisdictions from the victims because of the lack of an effective European legal framework

Regulators should set security requirements in the form of quantifiable outcomes instead of imposing particular methodologies or sets of controls. For example, PSPs should not be forced to deploy strong authentication unless the PSP assesses that it is an appropriate treatment for the risk faced. The EBA/ECB definition of “strong” authentication sets the bar too high for most risk scenarios. PSPs should be afforded in practice the flexibility implied by the ‘comply or explain’ principle, where they may demonstrate how alternative controls can achieve the required or superior security outcomes. Regulators should also reduce the ability for national regulators to impose their own diverging requirements (including reporting requirements) with regards to cyber security.

Thank you for the opportunity to respond to your request. Yours sincerely,

Dr Thaer Sabri Chief Executive Electronic Money Association

The Electronic Money Association (EMA) is the trade body representing electronic money issuers and payment service providers. A list of EMA members is given overleaf.

Page 3 of 4

List of EMA members as of May 2015

• Advanced Payment Solutions Ltd • Payleven Ltd • Airbnb Inc • • American Express • PayPal Europe Ltd • Azimo Limited • PayPoint Plc • Blackhawk Network Ltd • PayU • Boku Inc • Paywizard • Citadel Commerce UK Ltd • PPRO Financial Ltd • ClickandBuy International Ltd • Prepaid Services Company Ltd • Corner Banca SA • PrePay Technologies Ltd • Ekuantia EDE, S.L. • PSI-Pay Ltd • Euronet Worldwide Inc • R. Raphael & Sons plc • Facebook Payments International Ltd • Securiclick Limited • First Rate Exchange Services • Limited • Google Payment Ltd • • iCheque Network Limited • Syspay Ltd • IDT Financial Services Limited • Transact Payments Limited • Ixaris Systems Ltd • Ukash • Kalixa Pay Ltd • Valitor • National Australia Group • Wave Crest Holdings Ltd • One Money Mail Ltd • AG • Optimal Payments • Worldpay UK Limited • Orwell Union Partners LLP • Yandex.Money • Park Card Services Limited

Page 4 of 4