A roundtable discussion was held in the European Parliament on 7 January 2014 in relation to PSD II, in which EU policymakers argued that the draft rules are not robust enough to protect consumers from fraud and data security breaches.

The Assistant European Data Protection Supervisor (“EDPS”), Giovanni Butarelli, advised the roundtable discussion consumer protection was sorely missing from the proposed data protection clauses. Acting as the EU’s watchdog on data protection issues, the EDPS have concerns about the “increasingly significant amount of personal details processed by stakeholders, including names, personal data, bank numbers, contacts and so on”. The EDPS believe that mobile operators should only have access to simple and necessary details relating to the transaction.

As mobile payments become more popular in Europe, and a number of new players seek to enter the market, Farid Aliyev, the financial services officer at European consumer group, BEUC, suggests that fraudsters will be attracted by new opportunities. In his opinion, the solution to this would be to restrict third party access to certain consumer data details, within a specific remit to access the information.

What this means for you

Payment providers need to be alive to the security issues discussed by the EDPS. The new systems and processes being introduced potentially give fraudsters a new opportunity to access customer information. The development of PSD II needs to be monitored carefully to ensure that adequate security provisions are included and payment processors should ensure that they are aware of and have in place strategies to deal with the problems raised by the introduction of new technology and processes.

However, nothing in PSD II replaces the need for stakeholders to put in place good quality, effective security measures of their own. The frustration is that with the possible exception of EMV/Chip & Pin, there have been very few innovations over the last few years which have proved to be fraud-proof. Hackers simply like and enjoy the new challenge presented by the latest products. This is a yet another example of the authorities looking to target the static stakeholders rather than the more elusive fraudsters.