Népszerű bejegyzések

2016. január 7., csütörtök

Vásárolj a hűtőddel!

Hűtős applikációk

Ma már minden csatlakozik az internethez, a telefontól kezdve a hűtőszekrényig. A MasterCard és a Samsung olyan applikácót fejlesztett ki, ami lehetővé teszi, hogy a vásárlók a koreai elektronikai cég által gyártott okos-hűtőszekrényen vásároljanak. Ez az első applikáció, amit hűtőszekrénybe építettek be. A Samsung Family Hub hűtő 2016 májusától fog a gyártósorról legurulni.
 
A hűtőszekrény kijelzőjén a termékeket a fogyasztó a kosárba helyezi, majd a végleges bevásárló listát egy 4 jegyű pin-nel lehet jóváhagyni a hűtőbe épített érintőképernyőn. A fizetés a kártyaadtok megadását követően történik.
 
A  MasterCard a fentiekhez csatlakozó mobilapplikációt fejlesztett ki, ami a családtagok számára lehetővé teszi, hogy különböző készülékekről (PC, mobil, tablet, stb.) a családi elektronikus kosárba helyezzenek termékeket. Ezt a mobilapplikációt otthon arra is lehet használni, hogy a termékek vonalkódját a fogyasztó leolvassa. 



A bevásárlókosár rögzíteni fogja a család vásárlási szokásait  és a termékekre és márkákra vonatkozóan személyre szabott  javaslatokat tesz.

Tervezik továbbá, hogy receptekkel és videókkal is bővítik az applikációt.

2015. november 11., szerda

Hozzáférhetővé válnak a bankszámlák? Online fizetések bankkártya nélkül








Az Európai Parlament október elején elfogadta a belső piaci pénzforgalmi szolgáltatásokról szóló új irányelvet (2. Pénzforgalmi Irányelv). Az új szabályok célja a fogyasztók fokozottabb védelme, az online és mobilfizetések biztonságosabbá tétele, valamint a piac megnyitása az új szolgáltatók részére. Mit jelent mindez a gyakorlatban?

Az első pénzforgalmi irányelv 2007-es elfogadása óta az elektronikus kereskedelem területen új szolgáltatók jelentek meg. Ezek a bankoktól független fizetési szolgáltatók - pl. a német SOFORT Banking, a svéd Trustly vagy a holland iDeal, melyeket a 2. Pénzforgalmi Irányelv úgynevezett megbízásos online átutalási szolgáltatóként definiál - lehetővé teszik, hogy a vásárló a kereskedő weboldalán megvásárolt terméket banki átutalással fizesse ki anélkül, hogy a bankkártyája adatait megadná, vagy elnavigálna a kereskedő oldaláról az internetbank felületére. Amennyiben a vásárló egy terméket meg szeretne vásárolni, a webáruház oldalán (például a Sofort Banking esetében) ráklikkel a „Sofort” ikonra, majd kiválasztja, hogy melyik bankszámlájáról kívánja a termék árát kifizetni. Ezt követően az internetbanki átutalásoknál használt tokenre vagy mobiltelefonra érkező kód megadásával a fizetés jóváhagyása is azonnal megtörténik.  A PayPal-al ellentétben e fizetési szolgáltatások esetében nem szükséges a szolgáltatónál külön számlát fenntartani és oda pénzt utalni, így az online fizetési szolgáltató egy pillanatig sem rendelkezik a vásárló pénze fölött. 
 
A 2. Pénzforgalmi Irányelv hangsúlyozza, hogy az új pénzforgalmi szolgáltatások szerepe az elektronikus kereskedelemhez kapcsolódó pénzforgalomban abban áll, hogy „szoftverhidat” hoznak létre a kereskedő weboldala és a fizető fél számlavezető pénzforgalmi szolgáltatójának online banki platformja között.  Az irányelv által szabályozott online átutalásos fizetések teljesen más elven működnek, mint pl. a PayPal.  Itt ugyanis nincs szükség arra, hogy a fizető fél külön számlát tartson ill. regisztráljon a szolgáltatónál, hiszen az irányelv szerint a szolgáltató nem rendelkezik az ügyfél pénzével, az soha sem kerül a birtokába. A fent említett szoftverhíd, amely a kereskedő weboldala és a bank online platformja között létesül, ugyanis azt biztosítja, hogy az ügyfél közvetlenül a saját bankszámlájáról utal és nincs szükség arra, hogy a szolgáltatónál akár bankkártya számok, akár bankszámlaszámok kerüljenek regisztrálásra. A PayPal  esetében az áru kizárólag azt követően kerül elküldésre, ha a teljesítés megtörtént. Az online átutalási rendszer viszont arra ösztönzi a kereskedőt, hogy késedelem nélkül kiadja az árut vagy teljesítse a szolgáltatást azt követően, hogy az online átutalási szolgáltató biztosította a fizető felet arról, hogy a fizetés kezdeményezése megtörtént.

Az online átutalási rendszer biztonságát azt szavatolja, hogy egyrészről a bankoknak, másrészről az online átutalási szolgáltatóknak meg kell felelniük az irányelvben támasztott biztonsági követelményeknek és az adott technológiát szabályozó, az Európai Bankhatóság (EBA) által kidolgozott technikai sztenderdeknek.

A fenti eljárás viszont nélkülözhetetlenné teszi azt, hogy a szolgáltatók hozzáférést kapjanak a bankok által vezetett pénzforgalmi számlákhoz, illetve azok adataihoz. Ez a 2. Pénzforgalmi Irányelv talán egyik legellentmondásosabb területe, ugyanis a hozzáférés megadása banktitkot érintő- és adatvédelmi, továbbá pénzmosással kapcsolatos kérdéseket is felvet.

A fizetési számlákhoz történő hozzáférés engedélyezhetősége tárgyában az egyes tagállamok pénzügyi felügyeleti szervei és versenyhatóságai eddig eltérő gyakorlatot követtek. Így például Németországban a Szövetségi Versenyhivatal 2011. februárjában a kartelljogi szabályozásba ütközőnek nyilvánította a német bankok általános szerződési feltételeinek azon rendelkezéseit, amelyek megtiltják az ügyfelek számára, hogy harmadik fél (pl. a SOFORT Banking) részére kiadják a pénzforgalmi számlájuk adatait, hozzáférést biztosítva így a számlájukhoz.. Ezzel szemben az AFAS Software és az ING Bank között 2011-ben folytatott per során az ING Bank arra hivatkozott, hogy az általános szerződési feltételek és a Holland Bankszövetség egységes biztonsági előírásai megtiltják az ügyfelek részére, hogy személyes internetes banki adataikat harmadik személynek kiadják. Amennyiben az mégis megtörténik, az ügyfél szerződésszegést követ el. A holland bíróság az ING javára döntött és azt állapította meg, hogy a csalás megakadályozása érdekében a pénzforgalmi számlák nem válhatnak harmadik fél, így az online fizetési szolgáltatók számára hozzáférhetővé. Az AFAS Software az - akkor már tervezet formájában létező - 2. Pénzforgalmi Irányelv rendelkezéseire is próbált hivatkozni, azonban ezt a bíróság elutasította, mondván, hogy az irányelv még nem lépett hatályba, és egyelőre a hivatkozott rendelkezések is vita tárgyát képezik még az Európai Parlamentben.

A 2. Pénzforgalmi Irányelvet október 8-án fogadta el az Európai Parlament és várhatóan ez év végén jelenik majd meg az Európai Unió hivatalos lapjában. Az Irányelv a megjelenését követő 20. napon lép majd hatályba, az egyes tagállamoknak onnantól számított két év alatt kell a benne foglaltakat nemzeti jogukba átültetni, így ezt követően már minden tagállamban a bíróság előtt is hivatkozni lehet az Irányelvben foglaltakra. Az új Irányelv kifejezetten rendelkezni fog arról, hogy a tagállamoknak biztosítaniuk kell azt, hogy a bankok ne akadályozhassák az online fizetési szolgáltatók részére a hozzáférést az ügyfeleik pénzforgalmi számláihoz, így téve lehetővé a weboldalon keresztül történő, bankkártya-adatok megadása nélküli online átutalásos fizetéseket.

2015. október 26., hétfő

PSD2 Narrows Exclusions from Payment Institution Licence - How Commercial Agents and Limited Networks are Regulated uner the New Regime

 








 

In payment transactions where a commercial agent acts as an intermediary in the usual scenario (payee – payer - commercial agent), the risks against which PSD1 secures the market and users do not arise in principle[1]. However the picture becomes different if we take into account such huge online marketplaces like eBay or Amazon. Under PSD1 it was possible to get an exemption in order to avoid from requiring a payment institution license:

 

“Payment transactions from the payer to the payee through a commercial agent authorized to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee.”[2]

 

The exclusion was made available for payment transactions carried out from the payer (buyer) to the payee (seller/merchant) through a commercial agent authorized to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee.

 

Lieferheld, a German platform for the delivery of meals was sued by a competitor because it offered online payment for its clients. A German court decided that Lieferheld unlawfully offered payment services. Subsequently, Lieferheld changed its contract terms with restaurants in order to comply with the commercial agent exemption and to continue to offer its payment services without a payment institution license.[3]

 

Even though many online platforms have sought to rely on the above exemption, not every EU regulator has accepted it for this purpose. Particularly, the German regulator, BaFin has issued public guidance discouraging its use[4].

 

The Study on the impact of PSD1 has also confirmed that based on the insufficient clarity of PSD1 regarding a situation where the provider acts for both parties at the same time, providers facilitating the trade of goods or services between a payer and payee may seek to rely on the exemption for commercial agents to remain outside the PSD regime[5].

 

Although the language of Article 3(b) has not materially changed in PSD2, reference to the word “agreement” became important. According to the Study on the Impact of Directive 2007/64/EC, businesses providing mere communication with no specific focus on any of the participants should not benefit from the exemption because active solicitation is required[6]. The second important feature of this Article is that the exemption applies when agents act only on behalf of the payer or payee but not both:

 

“Payment transactions from the payer to the payee through a commercial agent authorized via an agreement to negotiate or conclude the sale or purchase of goods or services on behalf of only the payer or only the payee.”[7].

 

Where agents act on behalf of both parties (e.g. eBay) the exemption will only apply in cases where the agent does not come into possession, or have control of, clients’ funds[8].

 

It seems though that PSD2 does not exclude totally its applicability from the e-commerce marketplace providers. These could still rely upon this exemption if they act as agents of their customers, that is merchants, although the transaction is carried out to the benefit of both merchants and buyers. This will be left to the national law to decide whether to exempt such marketplaces or to apply a strict approach and deny exemption.

 


 

The PSD1 exempts payment transactions based on payment instruments accepted only within the issuer's premises or certain limited networks:

 

Services based on instruments that can be used to acquire goods or services only in the premises used by the issuer or under a commercial agreement with the issuer either within a limited network of service providers or for a limited range of goods or services.”[9].

 

This applies e.g. to store cards, gift cards, fuel cards and loyalty programs. There are four joint conditions of this exemption:

 

1.    the service should involve an instrument,

2.    the service shall be designed for paying for goods or services,

3.    the goods or services are purchased on the issuer’s premises and finally

4.    the limited nature of either the service provider network (regardless of the range of goods or services) or of the range of goods or services affected by the payment.

 

So the question arises whether loyalty cards valid for certain stores and their subsidiaries which are used to acquire an unlimited range of goods are caught or not? What does a limited network actually mean? Do premises include the internet?

 

The French financial regulator, ACP tried to interpret the above exemption of PSD1 restrictively. Thus the above exemption was limited to a network of stores operating under the same brand. It explicitly excluded subsidiaries and other third parties within the network using other brands. Interestingly, the Conseil d’Etat has overruled this decision but has specified that a network may be considered as limited if it meets other objective criteria, such as "a limited geographical area, significant financial relations, or close commercial relations, between members of the network." The French court highlighted that anyone providing payment services, even if it is exempted from a license is involved in the financial system, therefore the ACP can impose any conditions "which are designed to safeguard the security of means of payment and protect their users.”[10]

 

The German BaFin also applied the strict approach: no authorization was needed for local public transport cards even when used for the purchase of travel supplies and petrol cards were exempted only when issued by local petrol stations[11]. Where the choice of products was particularly limited (i.e. only transport service), BaFin has shown willingness to accept a nationwide scope. Department store cards usable in multiple stores belonging to one concern were considered to require authorisation by BaFin. Discount cards may thus only be issued without authorisation where their application is regionally limited[12].

 According to the Recital of PSD2 the main reason for re-regulating this exemption was to catch those unregulated service providers whose payment activities often comprise significant payment values but escaped regulation due to PSD1’s vague and too general wording:

Feedback from the market shows that the payment activities covered by the limited network exception often comprise significant payment volumes and values and offer to consumers hundreds or thousands of different products and services, which does not fit the purpose of the limited network exemption as provided for in Directive 2007/64/EC. That implies greater risks and no legal protection for payment service users, in particular for consumers and clear disadvantages for regulated market actors. To help limit these risks, the same instrument cannot be used to make payment transactions to acquire goods and services within more than one limited network or to acquire an unlimited range of goods and services.”[13]

These players are now competing regulated institutions and therefore enjoy unjustified competitive advantages in terms of initial capital and liabilities[14].

Although PSD2 tried to make the wording precise this was not very successful as the current text contains some undefined legal terms which are subject to interpretation. This causes legal uncertainty and results in an approach that PSD2 tried to aviod: different national interpretations will co-exist and the application of the exemption will need to be decided on a case-by-case basis.

 

On the bais of PSD2 the directive shall not apply to

 

(k) services based on specific payment instruments that can be used in a limited way should be excluded if one of the following conditions is met:

1.  instruments allowing the holder to acquire goods or services only in the premises of the issuer or within a limited network of service providers under direct commercial agreement with a professional issuer;

2. instruments which can be used only to acquire a very limited range of goods or services;

3. instruments valid only in a single Member State provided at the request of an undertaking or a public sector entity and regulated by a national or regional public authority for specific social or tax purposes to acquire specific goods or services from suppliers having a commercial agreement with the issuer[15]”.

 

The main criticism of PSD1’s limited network exemption was that there were no clear guidelines on what is meant by limited other than some domestic regulator’s case by case guidance[16]. PSD2 does nothing to further clarify the criteria of this exemption.

 

Reference to premises is insufficient as a lease relationship between the issuer and seller could be an adequate substitute. The wording of “limited networks of service providers that are under direct commercial agreement with a professional issuer“ is not explicit enough. Direct could mean the exclusion of subcontractors, therefore PSPs in a limited network must conclude commercial contracts with the issuer directly but not with its subcontractors. The term professional issuer remains equally undefined.

 

Let’s compare (a) a card issued by a large department store with nationwide presence for acceptance in its own stores (e.g. Tesco’s clubcards) and (b) a card ssued by several merchants (i.e. a group of companies) (e.g the Hungarian SuperShop card[17]) While (a) will not require authorization, in case of (b) it seems that authorization would be necessary on the basis of the term that the network is not very limited.

 

The new expression of PSD2 “very limited” is not explicit. Instruments for the acquisition of only one range of goods are definitely covered but what about 3, 5 or 20 ranges?

Unlike PSD1, PSD 2 under Article 30 provides for mandatory notification by PSP’s if they intend to offer activities within a limited network[18]. Accordingly, PSPs cannot commence operations and then decide whether the preconditions have been met. On the contrary, they shall ask for a mandatory review by the authorities before commencing their activity if their payment transactions exceed a threshold of EUR 1 million of the preceding 12 months. The description of services shall be made publicly available on EBA’s website[19].

 

This concept again would go contrary to the principle of the internal market as the procedure could imply divergent interpretation and also could distort competition. Furthermore, the public disclosure of the decision could persuade how certain regulators may approach its review. Given the uncertainty of the scope of this exemption, PSPs would be prudent to seek regulatory approval regardless of the payment transactions volumes carried out.

 

Source of picture: Wikipedia (Loyalty Program)



[1] Study on the Impact of Directive 2007/64/EC on Payment Services in the Internal Market, London Economics, 2013 February p.124

[2] Article 3(b) of PSD1:

[3] LG Köln, Urteil v. 29.09.2011, Az. 81 O 91/11,  http://tlmd.in/u/1307

[4] Merkblatt - Hinweise zum Zahlungsdiensteaufsichtsgesetz (ZAG), December 2011 http://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Merkblatt/mb_111222_zag.html

[5] Study on the impact... p.125

[6] Study on the impact... p.125

[7]Article 3(b) of PSD2

[8] Recital 18 of PSD2

[9] Article 3(k) of PSD1

[10] Case No.354957 ECLI:FR:CESSR:2013:354957.20130424 of the Conseil d’ Etat, http://www.legifrance.gouv.fr/affichJuriAdmin.do?oldAction=rechJuriAdmin&idTexte=CETATEXT000027353547&fastReqId=1333016665&fastPos=1

[11] Dr. Matthias Terlau, Dr. Daniel Walter, „PSD2 – Future authorisation requirements for department store cards, gift vouchers, petrol cards and stadium cards? The new limited network exception“ (2013) Payment Services Law Blog

[12] Merkblatt - Hinweise zum Zahlungsdiensteaufsichtsgesetz (ZAG), December 2011

[13] Recital 12 of PSD2

[14] Recital 12 of PSD2

[15] Article  3(k) of PSD2

[16] Recital 12 of PSD2

[17] SuperShop is not a prepaid card. Certain  % of each purcahse is credited to the card. The cardholder can use  this card for purchases within a limited network of merchants, e.g. Spar, OMV, Burger King. www.supershop.hu

[18] Article 30(2)of PSD2

[19] Article 30(4) of PSD2

 

 
 
 
 

2015. október 17., szombat

Security of Payments, Strong Customer Authentication, PSD2


 
 
According to Abrazhevic, one of the most crucial and well-researched issues in payment systems is security. Since the Internet is an open network with no centralized control, the infrastructure supporting electronic commerce and payment systems in particular, must be resistant to attacks in the Internet environment[1]. 

Payment Card Fraud: Examples from Recent Cases 


Managing payment card fraud can be challenging for financial institutions. Chip based or EMV[2] payments were a big step forward from magnetic stripe card payments. Magnetic stripes can easily be copied but it is impossible to clone the chip, therefore chips based cards increase security and reduce fraud resulting from counterfeit, lost and stolen cards. While almost all terminals in Europe are chip-enabled, the US is one of the last countries to migrate to EMV chip technology[3]. However chip cards will not end fraud. As seen in Europe, where chip cards already are standard, fraudsters shift focus to card-not-present[4] transactions instead.[5]
 

In the middle of July 2015, parallel with launching Apple Pay in the UK, some UK papers reported that contactless payment cards in our pocket might not be as secure as we assumed[6]. According to the article, a group of guys was able to use an “easily and cheaply” acquired card reader to successfully retrieve the 12-digit card numbers and expiry dates from 10 cards. Despite this, they weren’t able to obtain the three-digit verification code on the back of the cards. Surprisingly with these data and with the help of a fake name, they were able to put in an order on Amazon for a $4,000 TV. 

Figure 1 below shows the credentials required when purchasing via Amazon.

Figure 1.



Cardholders will realize missing cards in a relatively short time, but it is almost impossible to detect if card data are compromised i.e if someone got unauthorized access to card data especially if the card is in our pocket. If the card is used for small amount illegal purchases and the card holder is a regular user of Amazon the card holder will not notice that money is siphoned out of his account.
 

Contactless payment cards cannot be switched off, it will give full customer details unencrypted if a point of sale (POS) terminal or a smartphone initiates a question without any validation or authorization. Someone with malicious intent could easily rake a small fortune each day by brushing past people on a bus and skim lots of cards while they are in the pockets and wallets. Many fraudulent transactions do not get noticed until things have spiraled way out of control.
 

Two important liability issues should be mentioned regarding contactless payment cards. Firstly, if the CVC2/CVV2 authentication procedure exists, why isn’t it obligatory for all merchants? Secondly, if card issuers and banks regard bank account numbers and expiration dates as a public data not requiring protection, then why not use a secret password that would serve as a second factor to protect users’ money? Actually there is the PIN, however this is not required during online transactions.  

Strong Customer Authentication in PSD2 and in the EBA Guidelines 


EBA gained importance in the surveillance of PSD2 requirements and is entitled in - close cooperation with the ECB -  to develop technical standards on the requirements of strong customer authentication[7]. 

EBA published its final guidelines on the security of internet payments on 19th December 2014[8]. These guidelines are based on the recommendations of the European Forum on the Security of Retail Payments (SecuRe Pay) a voluntary cooperative initiative set up by the ECB and comprising relevant authorities from the EEA. Interestingly, these guidelines touched sensitive points including strong customer authentication also covered by PSD2. Furthermore, EBA required that these guidelines should be applicable as of 1st of August 2015, before the acceptance of PSD2. This raised some concerns between different stakeholders including MasterCard and small firms in the UK. FCA even made public its views on its website: "We do not have the power without legislative change to make binding rules requiring all payment service providers (credit institutions, payment institutions and e-money institutions) to comply with the EBA Guidelines”. MasterCard complied a FAQs on its website informing its customers on the applicability of the EBA guidelines and their relation to PSD2 not yet in force[9]. 

EBA is a regulatory agency of the Commission it does not possess legislative power. The technical standards drafted by EBA (based on the empowerment in PSD2) only have binding effect and direct applicability for Member States once endorsed by the Commission. The EBA’s guidelines however are “binding” for those competent authorities to whom the guidelines apply and they should comply by incorporating them into their supervisory practices as appropriate[10]. This procedure is often called “implement or explain” meaning that it is possible for competent authorities to decide not to comply with the guidelines. For example the UK opted out explaining that “it does not have the power without legislative change to make binding rules requiring all payment service providers (credit institutions, payment institutions and e-money institutions) to comply with the EBA Guidelines”[11]. The Swedish Financial Supervisory Authority reported that it will comply with all guidelines, except the strong customer authentication requirements for card payment schemes and providers of wallet solutions[12].  

In terms of PSD 2 and the EBA Guidelines strong customer authentication means an authentication based on the use of two or more elements categorized as
 

1.    knowledge (something only the user knows e.g. PIN),

2.    possession (something only the user possesses e.g. token) and

3.    inherence (something the user is e.g. fingerprint or retina)
 

that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data[13]
 

A sophisticated technology may fail if the customer is not able to handle it with ease[14]. In 2014 during the EBA consultation period, MasterCard raised its concerns about the strong customer authentication requirement in the draft EBA guidelines[15]. MasterCard highlighted that the EBA guidelines do not observe customer convenience in other words “the guidelines impose additional heavy and awkward authentication procedures for customers which may end up discouraging them from using internet payments”[16].
 

In MasterCard’s opinion strong customer authentication should be optional for payments whose risk is not high. The reason for this is very simple. Generally it is the card issuer PSP which is liable in case of fraud. When a PSP is prepared to bear liability in case of fraud that PSP should be permitted to decide which level of authentication to apply (strong or risk based) provided that the card issuer respects some minimal authentication guidelines. Therefore there is no need to mandate upon card issuing PSPs a strong authentication requirement on every transaction when they bear the risk of fraud[17]

 
Ecommerce Europe confirmed the above: “the new authentication rules could stifle innovation in the area of digital payments. Multifactor authentication has a huge impact on conversion for merchants, as many consumers will leave the check-out process when payment becomes too complicated.”[18]

 It seems that not only customer convenience but also liability and its financial consequence was the real reason for MasterCard to vote for less stringent authentication requirements. According to Article 66 1c of PSD2:
 

Where the payer's payment service provider does not require strong customer authentication, the payer shall only bear any financial consequences where having acted fraudulently. Should the payee or the payment service provider of the payee fail to accept strong customer authentication, they shall refund the financial damage caused to the payer’s payment service provider.”

 
If PSPs fail to apply strong customer authentication they shall bear full liability except if the payer acted fraudulently. According to Ecommerce Europe “if PSPs do not perform strong authentication they are liable and liability does not shift to the merchant when he chooses not to authenticate while the PSP is offering it. This is a change from today where the merchant is liable when no authentication is used. However, failing to do so might eventually lead to the merchant losing its contract with the PSP”[19].

 
Nevertheless it seems that EBA followed the above advice of stakeholders, because the final guidelines were incorporated in such a way that it made possible the consideration of alternative authentication measures for pre-identified categories of low-risk transactions e.g. based on transaction risk analysis or involving low value payments[20].

 
Source of picture: socialcustomer


[1] Dennis Abrazhevich, Electronic Payment Systems: a User centered perspectiveand Interaction Design (Technische Universiteit Eisndhoven, 2004) p.36
[2] EMV is an abbreviation for Europay, Mastercard and Visa. The EMV specifications were developed to define a set of requirements to ensure interoperability between chip-based payment cards and terminals. EMV chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards. http://www.emvco.com/
[4] A card not present transaction is a payment card transaction where the holder cannot physically show  the card for visual examination when payment is effected (e.g transactions over the phone, the internet or by mail.)
[5] ECB (July 2015) „Fourth Report on Card Fraud
[6] http://gizmodo.com/contactless-payment-cards-are-perhaps-not-as-secure-as-1719690656
[7] Article 87a1.a of PSD2
[8] http://www.eba.europa.eu/regulation-and-policy/consumer-protection-and-financial-innovation/guidelines-on-the-security-of-internet-payments
[9] http://newsroom.mastercard.com/wp-content/uploads/2015/07/FAQ-EBA-guidelines.pdf
[10] EBA, Final guidelines on the securty of internet payments p 8.
[11] EBA,Compliance Table - Guidelines -  Based on information supplied by them, the following competent authorities comply or intend to comply with: EBA Guidelines EBA/GL/2014/12 on the security of internet payments, published on 19th December 2014.
[12] Ibidem.
[13] Article 4 22. Of PSD2
[14] Wen-Chen HU,Chung-wei Lee & Weidong Kou, Advances in Security and Payment Methods for Mobile Commerce (Idea Group Publishing, 2005) p. 210
[15] Mastercard (2014) „Mastercard’s comments on the EBA Consultation Paper on the implementation of draft EBA guidelines on the security of internet payments prior to the transposition of the revised Payment Services Directive (PSD2)”
[16] Ibidem.
[17] Ibidem.
[18] Ecommerce Europe (2015) “Stronger consumer authentication for online payments needed as of 1 August 2015”
[19] Ibidem.
[20] EBA, Final guidelines on the securty of internet payments, Section 7.5