Retail Payments (RP2023)

(A.) Policy and legislation

(A.1) Policy objectives

The speed at which technological change in payments is happening requires targeted policy measures. The European Union aims to be a highly competitive payments market, allowing all players to compete on fair and equal terms to offer innovative digital payment solutions.

(A.2) EC perspective and progress report

Directive 2015/2366/EU (PSD2) set the foundation for safer and more innovative European payments. It aims at better protecting consumers when they pay online, promoting the development and use of innovative online and mobile payments, and making cross-border European payment services safer.

Payments have become strategic for the EU’s economic and financial autonomy. Digitalisation and innovation are quickly changing the way payments are made Electronic (cashless) payments are becoming increasingly popular and the Covid-19 pandemic has further reinforced their importance, in particular with regard to contactless payments.

Today, the EU’s electronic payments market is dominated by a few large global players providing nearly all cross-border payments in the European market, in particular when the payments at the point of sale (such as in shops) are concerned. Payment solutions provided by European payment service providers and fintechs are often very successful but only at national level. One of the reasons why these solutions have been so far failing to expand across the European Union and beyond is that they are not interoperable with one another. An increasing number of these payment solutions rely on technologies such as QR-codes, Bluetooth (BLE) or Near Field Communication (NFC). The absence of common technical standards is one of the obstacles to achieving the interoperability of these solutions.

In recognition of these problems, several initiatives led by the European Retail Payments Board  (ERPB) and the European Payments Council (EPC) have been launched, aimed at adopting common European schemes and rules. This standardisation and harmonisation work aims to ensure the interoperability of instant payment solutions in shops and e-commerce. In particular, the ERPB Working Group on instant payments at the point of interaction (physical point of sale and e-commerce) has recognised the need for a standardised QR-code for both merchant-presented and consumer-presented use cases. A dedicated, multi-stakeholder group has been set up under the auspices of the European Payments Council (EPC), who developed new technical specifications for QR-codes for mobile-initiated credit transfers in various contexts (P2P, C2B, B2B and B2B) (EPC024-22). The final draft document went through an 8-week public consultation that closed on 14 April 2022. The group plans to submit the specifications to an international standardisation body yet to be decided (e.g. ISO, CEN). The group also started the work on a further interoperability analysis and potential standardisation mobile initiated credit transfers based on other proximity technologies (NFC and BLE), with the specifications expected by end 2022.  

Provided that the market factors are duly taken into account, resolving the issue of missing standards will make it easier for payment services providers and merchants alike to reach critical mass by making use of the digital single market and committing to make the necessary investments.

(A.3) References

• Directive 2015/2366/EU of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market:
  https://eur-lex.europa.eu/eli/dir/2015/2366/oj
• Interim report of the ERPB Working Group on a Framework for interoperability of instant payments at the point of interaction (IPs at the POI): https://www.ecb.europa.eu/paym/groups/erpb/shared/pdf/13th-ERPB-meeting/Item_4.4_-_Interim_report_of_the_WG_on_a_framework_for_instant_at_POI.pdf

(B.) Requested actions

Action 1: ESOs to work with stakeholders on a single, open and secure European technical standard for QR-codes to support the uptake and interoperability of instant payments.

(C.) Activities and additional information 

(C.1) Related standardisation activities

CEN

CEN/TC 224 'Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment' develops standards for strengthening the interoperability, security and privacy of personal identification and its related personal devices. CEN/TC 224 addresses providers from the supply side such as card manufacturers, security technology, conformity assessment body and software manufacturers.

https://standards.cen.eu/dyn/www/f?p=204:7:0::::FSP_ORG_ID:6205&cs=1FB1CC5B5F03F85F0ECCECA7598551CFC 

EMVCo

EMV® QR Code Specification for Payment Systems: Merchant-Presented Mode and EMV® QR Code Specification for Payment Systems: Consumer Presented Mode are ISO 18004 compliant.  The current versions of these specifications are available from: https://www.emvco.com/emv-technologies/qrcodes/

ETSI

ETSI’s Secure Element Technologies committee (TC SET) develops and maintains specifications for the Secure Element (SE), e.g. the UICC or the SSP and its interfaces with the outside world for use in telecommunication systems including the Internet of Things (IoT) and other industry sectors.

The technical realisation of the SSP consists of a multi-part specification. Our first deliverable addresses generic portions of the SSP, regardless of its form factor and the physical interfaces it supports. Three following parts address specific classes of the SSP – the SSP integrated on a System on Chip (SoC) and two specific classes for embedded Secure Elements. All four documents have been published. In addition, new protocols (SPI and I3C) for the Secure Element have been published. This will then provide a future oriented technology to replace existing UICC technology. ETSI has also developed the respective test documents for the SSP specifications to facilitate conformance and interoperability of the products.

TC SET keeps on improving the UICC technology by adding the possibility to host and address several virtual Secure Elements embedded into the same hardware component. This allows multiple virtual Secure Elements to coexist logically separated and be addressed independently thought the same physical interface. This technology is the base for a new feature defined in GSMA RSP which allows to have multiple subscriptions to a mobile network active in a mobile phone using just one eSIM. This offers the means to embed independent identity (e.g. eIDAS), payment or transport applications in the same physical secure element as the eSIM.

ISO

ISO/TC 68 /SC 9 ISO 12812 has been published. This includes five parts:

ISO 12812-1: General Framework

ISO 12812-2: Security and data protection for Mobile Financial Services

ISO 12812-3: Financial Application Management

ISO 12812-4: Mobile Payments to Persons

ISO 12812-5: Mobile Payments to Businesses 

ISO/IEC JTC1/SC31 Automatic identification and data capture techniques - ISO/IEC JTC1/SC31:

ISO/IEC 18004:2015  Automatic identification and data capture - QR code bar code symbology specification

ITU-T

ITU-T SG3 continues work in the area of tariffs, economic and policy issues pertaining to Mobile Financial Services (MFS) through Question 12/3, including charging for MFS, Mobile Financial Services Transaction Cost Model, Consumer Protection in MFS and Interoperability for Competition in Mobile Financial Services.

ITU-T Focus Group Digital Financial Services (FG DFS) has published 85 recommendations for policymakers and DFS stakeholders and deliverables addressing the DFS ecosystem challenges and provide best practices for consumer protection regulators, key performance indicators for quality of service for DFS and merchant acceptance for DFS. There are also deliverables related to DFS in the areas of - interoperability, security, privacy, role of postal networks, competition, and enhancing digital credit.
https://itu.int/en/ITU-T/focusgroups/dfs/Pages/deliverables.aspx

The Financial Inclusion Global Initiative (FIGI) was set up jointly by ITU, the World Bank, the Bank for International Settlements (BIS) and the Bill & Melinda Gates Foundation in 2017. The Financial Inclusion Global Initiative (FIGI) completed its work in September 2021. The main objective of FIGI was to implement the recommendations of the FG DFS, the high-level principles of the Payment Aspects of Financial Inclusion (PAFI) report of the World Bank and the BIS at a country level over the next three years (see https://figi.itu.int). ITU established a Digital Financial Services (DFS) Security Lab under FIGI to conduct security audit of mobile payment applications operating under USSD, STK and Android environments (see https://figi.itu.int/figi-resources/dfs-security-lab/). The DFS Security Lab methodology for testing of Android mobile payment applications is based on the OWASP Mobile Top 10 Security risks method and it is planned to develop it as a digital public good since it is based mainly on Open Source Software tools. The FIGI Security, Infrastructure and Trust Working Group which was led by ITU published a number of reports on security for digital financial services on topics such as strong authentication methodologies, addressing SS7 vulnerabilities, eKYC use cases for DFS, security assurance framework for DFS, security tests for USSD and STK applications, security audit of Android DFS applications, technical guidelines for securing mobile payment applications, DLT Security aspects and DFS Consumer Competency Framework amongst others. More details about the reports are available here : https://figi.itu.int/figi-resources/working-groups/.

As part of the activities of the DFS Security Lab in 2022, the security recommendations for mobile payments and addressing the vulnerabilities of telecommunications infrastructure and digital payment applications are being implemented at level of developing countries. Countries interested in setting up the Security Lab so they can conduct the security audits of the mobile payment applications can also contact the ITU for this and so far some four countries in Africa and Latin America have expressed such an interest.

In March 2020, ITU-T SG11 finalised and consented the baseline text of ITU-T Q.3057 (ex. Q.SR-Trust) “Signalling requirements and architecture for interconnection between trustable network entities”.

ITU-T SG11 started a draft technical report on low resource requirement, quantum resistant, encryption of USSD messages for use in financial services, which purpose is to examine new technologies for encryption of USSD in End-to-End manner and estimate its applicability to be integrated into existing USSD technology, suggesting new recommendation and signalling requirements for the integration of such technology into the existing reference architecture.

Relevant ITU work around digital currency is found in the Rolling Plan chapter on Blockchain.

ITU-T SG13 has approved two Recommendations on secure mobile payments and mobile banking solutions.

• ITU-T Y.2740 elaborates on approaches to develop system security for mobile commerce and mobile banking.
• ITU-T Y.2741 specifies the general architecture of a security solution for mobile commerce and mobile banking in modern telecommunication networks.

ITU-T SG12 is studying QoS and QoE aspects of digital financial services, including a methodology to test QoE. Two new ITU-T Recommendations were approved in ITU-T SG12 on digital financial services:

1. New Recommendation ITU-T G.1033 highlights important aspects related to quality of service (QoS) and quality of experience (QoE) that require consideration in the context of digital financial services.
2. New Recommendation ITU-T P.1502 introduces a methodology for testing the quality of experience (QoE) of digital financial services.

The Recommendations are based on the results of the ITU-T Focus Group on Digital Financial Services and the FIGI Security, Infrastructure and Trust Working Group. A new question (Q.13) was created in ITU-T SG12 on Perceptual and field assessment principles for quality of service (QoS) and quality of experience (QoE) of digital financial services (DFS) – all DFS QoS recommendations including the interoperability and cross border QoS testing will be standardized in this question.

W3C

The open web platform offers tremendous potential as the driver behind the transformation of the web Payments industry. The platform forms the foundation of how online and in-store payments can be made easy on the web in the future.  See https://www.w3.org/Payments/ 

The web payments working group, chartered to make payments easier and more secure on the web, through the development of new web standard protocols and APIs related to the initiation, confirmation, and completion of a payment. This serves to increase interoperability between payer and payee systems. The group is chartered to standardise programming interfaces, not user interfaces and not a new digital payment scheme.  See https://www.w3.org/Payments/WG/

The web payments interest group, chartered to provide a forum for web payments technical discussions to identify use-cases and requirements for existing and/or new specifications to ease payments on the web for users (payers) and merchants (payees). It is also chartered to establish a common ground for payment service providers on the web platform. See https://www.w3.org/Payments/IG/

Other chartered groups (doing standards) are of course coordinated closely with web payments, such as security, crypto, privacy or authentication (also accessibility and internationalisation) and a number of other community-driven groups at W3C are doing work related to payments, or that will improve the web overall including payments. These include:

• the Interledger payments community group, which seeks to connect the many payment networks (ledgers) around the world via the web,
• the financial industry business ontology (FIBO) community group, which is developing extensions to schema.org related to financial industries,

• the Blockchain Community Group, which is studying and evaluating technologies related to blockchain, and use-cases such as interbank communications.

NEXO and EPCNEXO

NEXO and EPCNEXO and the European Payment Council (EPC) currently focus on the protocols for card payment protocols in the Eurozone and aim to replace the current mess of proprietary protocols. The EPC is also involved in SEPA and sees iteself as the decision-making and coordination body for the European banking industry in relation to payments

(C.2) additional information

In general regarding card, internet and mobile payments, some stakeholders believe that the following issues should in particular be addressed: security, access and accessibility, management and portability of customer data, and transparency.

Card, internet and mobile payments are already standardised by a large number of organisations. This creates a diversity which may prevent the use of common infrastructures and common security standards. A common series of standards would be beneficial to all players in the market. A global view on standards in these areas is important as the payment market is global as are most existing standards.

The Web Payment Security Interest Group was launched on 17 April 2019 to enable W3C, EMVCo, and the FIDO Alliance to collaborate on a vision for Web payment security and interoperability. They are especially discussing how the Payment Services Directive 2 (PSD2) regulations in Europe, that took effect in September 2019 will affect Web payments and what will be the role of EMVCo, W3C, and FIDO technologies.