(A.) Policy and legislation
(A.1) Policy objectives
The speed at which technological change in payments is happening requires targeted policy measures. The European Union aims to be a highly competitive payments market, allowing all players to compete on fair and equal terms to offer innovative digital payment solutions.
(A.2) EC perspective and progress report
Directive 2015/2366/EU (PSD2) set the foundation for safer and more innovative European payments. It aims at better protecting consumers when they pay online, promoting the development and use of innovative online and mobile payments, and making cross-border European payment services safer.
Payments have become strategic for the EU’s economic and financial autonomy. Digitalisation and innovation are quickly changing the way payments are made Electronic (cashless) payments are becoming increasingly popular and the Covid-19 pandemic has further reinforced their importance, in particular with regard to contactless payments.
Today, the EU’s electronic payments market is dominated by a few large global players providing nearly all cross-border payments in the European market, in particular when the payments at the point of sale (such as in shops) are concerned. Payment solutions provided by European payment service providers and fintechs are often very successful but only at national level. One of the reasons why these solutions have been so far failing to expand across the European Union and beyond is that they are not interoperable with one another. An increasing number of these payment solutions rely on technologies such as QR-codes, Bluetooth (BLE) or Near Field Communication (NFC). The absence of common technical standards is one of the obstacles to achieving the interoperability of these solutions and QR-codes in particular suffer from an absence of EU-level standardisation.
In recognition of these problems, several initiatives led by the European Retail Payments Board (ERPB) and the European Payments Council (EPC) have been launched, aimed at adopting common European schemes and rules. This standardisation and harmonisation work aims to ensure the interoperability of instant payment solutions in shops and e-commerce. In particular, the ERPB working group on instant payments at the point of interaction (physical point of sale and e-commerce) has recognised the need for a standardised QR-code for both merchant-presented and consumer-presented use cases. The working group will develop the minimum data set to be exchanged in standardized QR-codes between the merchant and the consumer by end 2020.
Provided that the market factors are duly taken into account, resolving the issue of missing standards will make it easier for payment services providers and merchants alike to reach critical mass by making use of the digital single market and committing to make the necessary investments.
- Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market: https://eur-lex.europa.eu/eli/dir/2015/2366/oj
- Interim report of the ERPB Working Group on a Framework for interoperability of instant payments at the point of interaction (IPs at the POI): https://www.ecb.europa.eu/paym/groups/erpb/shared/pdf/13th-ERPB-meeting/Item_4.4_-_Interim_report_of_the_WG_on_a_framework_for_instant_at_POI.pdf
(B.) Requested actions
Action 1 The Commission considers that the development by the market of a single, open and secure European technical standard for QR-codes would support the uptake and interoperability of instant payments.
(C.) Activities and additional information
(C.1) Related standardisation activities
CEN/TC 224 ‘Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment’ develops standards for strengthening the interoperability, security and privacy of personal identification and its related personal devices. CEN/TC 224 addresses providers from the supply side such as card manufacturers, security technology, conformity assessment body and software manufacturers.
EMV® QR Code Specification for Payment Systems: Merchant-Presented Mode and EMV® QR Code Specification for Payment Systems: Consumer Presented Mode are ISO 18004 compliant. The current versions of these specifications are available from: https://www.emvco.com/emv-technologies/qrcodes/
ETSI’s Smart Card Platform committee (TC SCP) develops and maintains specifications for the Secure Element (SE) and its interfaces with the outside world for use in telecommunication systems including the Internet of Things (IoT) and other industry sectors.
The technical realization of the SSP consists of a multi-part specification. Our first deliverable addresses generic portions of the SSP, regardless of its form factor and the physical interfaces it supports. The second and third address specific classes of the SSP – the SSP integrated on a System on Chip (SoC) and a specific type of an embedded Secure Element. All three documents have been published. The next step is the development of the SSP for the other embedded as well as for the removable form factors. In addition, a new protocol (SPI) for the Secure Element has been published. This will then provide a future oriented technology to replace existing UICC technology. ETSI also develops the respective test documents for the SSP specifications to facilitate conformance and interoperability of the products.
ISO/TC 68/SC 7/WG 10 and ISO/IEC JTC 1/SC 17- Cards and personal identification. ISO 12812 has been published. This includes five parts:
- ISO 12812-1: General Framework
- ISO 12812-2: Security and data protection for Mobile Financial Services
- ISO 12812-3: Financial Application Management
- ISO 12812-4: Mobile Payments to Persons
- ISO 12812-5: Mobile Payments to Businesses
Automatic identification and data capture techniques - ISO/IEC JTC1/SC31:
ISO/IEC 18004:2015 Automatic identification and data capture - QR code bar code symbology specification
ITU-T SG3 has launched work in the area of tariffs, economic and policy issues pertaining to Mobile Financial Services (MFS), including charging for MFS, Mobile Financial Services Transaction Cost Model, Consumer Protection in MFS and Interoperability for Competition in Mobile Financial Services.
ITU-T Focus Group Digital Financial Services (FG DFS) has published 85 recommendations for policymakers and DFS stakeholders and deliverables addressing the DFS ecosystem challenges and provide best practices for consumer protection regulators, key performance indicators for quality of service for DFS and merchant acceptance for DFS. There are also deliverables related to DFS in the areas of - interoperability, security, privacy, role of postal networks, competition, and enhancing digital credit. https://itu.int/en/ITU-T/focusgroups/dfs/Pages/deliverables.aspx
The Financial Inclusion Global Initiative (FIGI) was set up jointly by ITU, World Bank, Bank for International Settlements (BIS) and the Bill & Melinda Gates Foundation. The main objective of FIGI is to implement the recommendations of the FG DFS, the high-level principles of the Payment Aspects of Financial Inclusion (PAFI) report of the World Bank and the BIS at a country level over the next three years. https://www.itu.int/en/ITU-T/extcoop/figisymposium/Pages/FIGISITWG.aspx.
Relevant ITU work around digital currency is found in the Rolling Plan chapter on Blockchain.
ITU-T SG13 has approved two Recommendations on secure mobile payments and mobile banking solutions.
- ITU-T Y.2740 elaborates on approaches to develop system security for mobile commerce and mobile banking.
- ITU-T Y.2741 specifies the general architecture of a security solution for mobile commerce and mobile banking in modern telecommunication networks.
ITU-T SG12 is studying QoS and QoE aspects of digital financial services, including a methodology to test QoE.
The open web platform offers tremendous potential as the driver behind the transformation of the web Payments industry. The platform forms the foundation of how online and in-store payments can be made easy on the web in the future. See https://www.w3.org/Payments/
The web payments working group , chartered to make payments easier and more secure on the web, through the development of new web standard protocols and APIs related to the initiation, confirmation, and completion of a payment. This serves to increase interoperability between payer and payee systems. The group is chartered to standardise programming interfaces, not user interfaces and not a new digital payment scheme. See https://www.w3.org/Payments/WG/
The web payments interest group, chartered to provide a forum for web payments technical discussions to identify use-cases and requirements for existing and/or new specifications to ease payments on the web for users (payers) and merchants (payees). It is also chartered to establish a common ground for payment service providers on the web platform. See https://www.w3.org/Payments/IG/
Other chartered groups (doing standards) are of course coordinated closely with web payments, such as security, crypto, privacy or authentication (also accessibility and internationalisation) and a number of other community-driven groups at W3C are doing work related to payments, or that will improve the web overall including payments. These include:
- the Interledger payments community group, which seeks to connect the many payment networks (ledgers) around the world via the web,
- the financial industry business ontology (FIBO) community group, which is developing extensions to schema.org related to financial industries,
- the Blockchain Community Group, which is studying and evaluating technologies related to blockchain, and use-cases such as interbank communications.
NEXO and EPCNEXO
NEXO and EPCNEXO and the European Payment Council (EPC) currently focus on the protocols for card payment protocols in the Eurozone and aim to replace the current mess of proprietary protocols. The EPC is also involved in SEPA and sees itself as the decision-making and coordination body for the European banking industry in relation to payments
(C.2) additional information
In general regarding card, internet and mobile payments, some stakeholders believe that the following issues should in particular be addressed: security, access and accessibility, management and portability of customer data, and transparency.
Card, internet and mobile payments are already standardised by a large number of organisations. This creates a diversity which may prevent the use of common infrastructures and common security standards. A common series of standards would be beneficial to all players in the market. A global view on standards in these areas is important as the payment market is global as are most existing standards.
The Web Payment Security Interest Group was launched on 17 April 2019 to enable W3C, EMVCo, and the FIDO Alliance to collaborate on a vision for Web payment security and interoperability. They are especially discussing how the Payment Services Directive 2 (PSD2) regulations in Europe, that are scheduled to take effect in September 2019 will affect Web payments and what will be the role of EMVCo, W3C, and FIDO technologies.