(A.) Policy and legislation

(A.1) Policy objectives

The speed at which technological change in payments is happening requires targeted policy measures. The European Union aims to be a highly competitive payments market, allowing all players to compete on fair and equal terms to offer innovative digital payment solutions.

(A.2) EC perspective and progress report

Directive 2015/2366/EU (PSD2) set the foundation for safer and more innovative European payments. It aims at better protecting consumers when they pay online, promoting the development and use of innovative online and mobile payments, and making cross-border European payment services safer.

Payments have become strategic for the EU’s economic and financial autonomy. Digitalisation and innovation are quickly changing the way payments are made Electronic (cashless) payments are becoming increasingly popular and the Covid-19 pandemic has further reinforced their importance, in particular with regard to contactless payments.

Today, the EU’s electronic payments market is dominated by a few large global players providing nearly all cross-border payments in the European market, in particular when the payments at the point of sale (such as in shops) are concerned. Payment solutions provided by European payment service providers and fintechs are often very successful but only at national level. One of the reasons why these solutions have been so far failing to expand across the European Union and beyond is that they are not interoperable with one another. An increasing number of these payment solutions rely on technologies such as QR-codes, Bluetooth (BLE) or Near Field Communication (NFC). The absence of common technical standards is one of the obstacles to achieving the interoperability of these solutions and QR-codes in particular suffer from an absence of EU-level standardisation.

In recognition of these problems, several initiatives led by the European Retail Payments Board (ERPB) and the European Payments Council (EPC) have been launched, aimed at adopting common European schemes and rules. This standardisation and harmonisation work aims to ensure the interoperability of instant payment solutions in shops and e-commerce. In particular, the ERPB Working Group on instant payments at the point of interaction (physical point of sale and e-commerce) has recognised the need for a standardised QR-code for both merchant-presented and consumer-presented use cases. The Working Group will develop the minimum data set to be exchanged in standardized QR-codes between the merchant and the consumer.

Provided that the market factors are duly taken into account, resolving the issue of missing standards will make it easier for payment services providers and merchants alike to reach critical mass by making use of the digital single market and committing to make the necessary investments.

(A.3) References

(B.) Requested actions

Action 1 ESOs to work with stakeholders on a single, open and secure European technical standard for QR-codes to support the uptake and interoperability of instant payments.

(C.) Activities and additional information

(C.1) Related standardisation activities

CEN/TC 224 ‘Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment’develops standards for strengthening the interoperability, security and privacy of personal identification and its related personal devices. CEN/TC 224 addresses providers from the supply side such as card manufacturers, security technology, conformity assessment body and software manufacturers.


EMV®QR Code Specification for Payment Systems: Merchant-Presented ModeandEMV®QR Code Specification for Payment Systems: Consumer Presented Modeare ISO 18004 compliant. The current versions of these specifications are available from:


ETSI’s Smart Card Platform committee (TC SCP) develops and maintains specifications for the Secure Element (SE) and its interfaces with the outside world for use in telecommunication systems including the Internet of Things (IoT) and other industry sectors.

The technical realisation of the SSP consists of a multi-part specification. Our first deliverable addresses generic portions of the SSP, regardless of its form factor and the physical interfaces it supports. The second and third address specific classes of the SSP – the SSP integrated on a System on Chip (SoC) and a specific type of an embedded Secure Element. All three documents have been published. The next step is the development of the SSP for the other embedded as well as for the removable form factors. In addition, a new protocol (SPI) for the Secure Element has been published. This will then provide a future oriented technology to replace existing UICC technology. ETSI has also developed the respective test documents for the SSP specifications to facilitate conformance and interoperability of the products.


ISO/IEC JTC 1/SC 9- Information exchange for financial services. ISO 12812 has been published. This includes five parts:

ISO 12812-1: General Framework

ISO 12812-2: Security and data protection for Mobile Financial Services

ISO 12812-3: Financial Application Management

ISO 12812-4: Mobile Payments to Persons

ISO 12812-5: Mobile Payments to Businesses

ISO/IEC JTC1/SC31 Automatic identification and data capture techniques:

ISO/IEC 18004:2015 Automatic identification and data capture - QR code bar code symbology specification


ITU-T SG3 continues work in the area of tariffs, economic and policy issues pertaining to Mobile Financial Services (MFS) through Question 12/3, including charging for MFS, Mobile Financial Services Transaction Cost Model, Consumer Protection in MFS and Interoperability for Competition in Mobile Financial Services.

ITU-T Focus Group Digital Financial Services (FG DFS) has published 85 recommendations for policymakers and DFS stakeholders and deliverables addressing the DFS ecosystem challenges and provide best practices for consumer protection regulators, key performance indicators for quality of service for DFS and merchant acceptance for DFS. There are also deliverables related to DFS in the areas of - interoperability, security, privacy, role of postal networks, competition, and enhancing digital credit.

The Financial Inclusion Global Initiative (FIGI) was set up jointly by ITU, the World Bank, the Bank for International Settlements (BIS) and the Bill & Melinda Gates Foundation in 2017. The main objective of FIGI is to implement the recommendations of the FG DFS, the high-level principles of the Payment Aspects of Financial Inclusion (PAFI) report of the World Bank and the BIS at a country level over the next three years (see ITU established a Digital Financial Services (DFS) Security Lab under FIGI to conduct security audit of mobile payment applications operating under USSD, STK and Android environments (see The DFS Security Lab methodology for testing of Android mobile payment applications is based on the OWASP Mobile Top 10 Security risks method. The FIGI Security, Infrastructure and Trust Working Group which is led by ITU published a number of reports on security for digital financial services on topics such as strong authentication methodologies, addressing SS7 vulnerabilities, eKYC use cases for DFS, security assurance framework for DFS, security tests for USSD and STK applications, security audit of Android DFS applications, DLT Security aspects and DFS Consumer Competency Framework amongst others. More details about the reports are available here:

In March 2020, ITU-T SG11 finalised and consented the baseline text of ITU-T Q.3057 (ex. Q.SR-Trust) “Signalling requirements and architecture for interconnection between trustable network entities”.

ITU-T SG11 started a draft technical report on low resource requirement, quantum resistant, encryption of USSD messages for use in financial services, which purpose is to examine new technologies for encryption of USSD in End-to-End manner and estimate its applicability to be integrated into existing USSD technology, suggesting new recommendation and signalling requirements for the integration of such technology into the existing reference architecture.

Relevant ITU work around digital currency is found in the Rolling Plan chapter on Blockchain.

ITU-T SG13 has approved two Recommendations on secure mobile payments and mobile banking solutions.

  • ITU-T Y.2740 elaborates on approaches to develop system security for mobile commerce and mobile banking.
  • ITU-T Y.2741 specifies the general architecture of a security solution for mobile commerce and mobile banking in modern telecommunication networks.

ITU-T SG12 is studying QoS and QoE aspects of digital financial services, including a methodology to test QoE. Two new ITU-T Recommendations were approved in ITU-T SG12 on digital financial services:

  • New Recommendation ITU-T G.1033 highlights important aspects related to quality of service (QoS) and quality of experience (QoE) that require consideration in the context of digital financial services.
  • New Recommendation ITU-T P.1502 introduces a methodology for testing the quality of experience (QoE) of digital financial services.

The Recommendations are based on the results of the ITU-T Focus Group on Digital Financial Services and the FIGI Security, Infrastructure and Trust Working Group. A new question (Q.13) was created in ITU-T SG12 on Perceptual and field assessment principles for quality of service (QoS) and quality of experience (QoE) of digital financial services (DFS) – all DFS QoS recommendations including the interoperability and cross border QoS testing will be standardized in this question.


The open web platform offers tremendous potential as the driver behind the transformation of the web Payments industry. The platform forms the foundation of how online and in-store payments can be made easy on the web in the future. See

The web payments working group , chartered to make payments easier and more secure on the web, through the development of new web standard protocols and APIs related to the initiation, confirmation, and completion of a payment. This serves to increase interoperability between payer and payee systems. The group is chartered to standardise programming interfaces, not user interfaces and not a new digital payment scheme. See

The web payments interest group, chartered to provide a forum for web payments technical discussions to identify use-cases and requirements for existing and/or new specifications to ease payments on the web for users (payers) and merchants (payees). It is also chartered to establish a common ground for payment service providers on the web platform. See

Other chartered groups (doing standards) are of course coordinated closely with web payments, such as security, crypto, privacy or authentication (also accessibility and internationalisation) and a number of other community-driven groups at W3C are doing work related to payments, or that will improve the web overall including payments. These include:

  • the Interledger payments community group, which seeks to connect the many payment networks (ledgers) around the world via the web,
  • the financial industry business ontology (FIBO) community group, which is developing extensions to related to financial industries,
  • the Blockchain Community Group, which is studying and evaluating technologies related to blockchain, and use-cases such as interbank communications.


NEXO and EPCNEXO and the European Payment Council (EPC) currently focus on the protocols for card payment protocols in the Eurozone and aim to replace the current mess of proprietary protocols. The EPC is also involved in SEPA and sees itself as the decision-making and coordination body for the European banking industry in relation to payments

(C.2) additional information

In general regarding card, internet and mobile payments, some stakeholders believe that the following issues should in particular be addressed: security, access and accessibility, management and portability of customer data, and transparency.

Card, internet and mobile payments are already standardised by a large number of organisations. This creates a diversity which may prevent the use of common infrastructures and common security standards. A common series of standards would be beneficial to all players in the market. A global view on standards in these areas is important as the payment market is global as are most existing standards.

The Web Payment Security Interest Group was launched on 17 April 2019 to enable W3C, EMVCo, and the FIDO Alliance to collaborate on a vision for Web payment security and interoperability. They are especially discussing how the Payment Services Directive 2 (PSD2) regulations in Europe, that took effect in September 2019 will affect Web payments and what will be the role of EMVCo, W3C, and FIDO technologies.