Company Name: iSignthis
Announcement Date: 02/06/2016
Announcement Category: Product launch/update
Announcement Content:
More and more merchants are now starting to rely on card vaulting with their payment service provider (PSP), where the PSP stores the card details on behalf of the merchant, and a tokenised payment means is used.
One of the challenges faced by merchants, cart providers and PSP's is to actually ensure that the card that is being vaulted is actually being presented by the legitimate card owner. For now, merchants can simply "vault" the card, without the need for any ownership checks. That is all about to change in the SEPA zone.
Card On-boarding / Registration under PSD2 Article 98
Article 98 of the PSD2 provides of the European Banking Authority (EBA) to consult with and make regulations for industry.
As most of us in payments are aware, that process was finalised by the EBA some time back as the 'Guidelines for the Security of Internet Payments' or SecuRE Pay.
SecuRE Pay appears to be somewhat silent on the matter of card vaulting, until you consider that a card vault is really just a another way to say that the PSP will store a card within a 'wallet' operated by that licensed PSP, on behalf of multiple merchants.
SecuRE Pay's definitions on Page 12 define:
"Wallet solutions means solutions that allow a customer to register data relating to one or more payment instruments in order to make payments with several e-merchants."
So, does acquiring side tokenisation or card vaulting fit within that definition? We believe that it does, as its function is covered by the definitions, even if terminology varies between regulator and industry. In any case, registration of a card presents a very real security issue, and represents a flaw in the present approach.
Lets then circle back to Page 10, Item 7 of SecuRE Pay, where the us elf Strong Customer Authentication is mandated:
"[cards] the execution of card payments on the internet, including virtual card payments, as well as the registration of card payment data for use in ’wallet solutions’;"
The "......registration of card payment data for use in ’wallet solutions’ " appears to be very broad, and inclusive of all Wallet types, such as online stored value, instant payments (remote), tokenisation/vaulting or local NFC payments, where the internet is involved and a browser based interface is used and/or cards are involved. Basically, any PSP operated facility that allows for payments to more than one merchant will fall into this category.
The SecuRE Pay requirements then go on to state @ 7.6 : " [cards] For the card payment schemes accepted by the service, providers of wallet solutions should require strong authentication by the issuer when the legitimate holder first registers the card data."
If a merchant is PCI certified, and able to store the card on their side, then that may be one approach that circumvents the SecuRE Pay requirement - however, that raises other challenges for the merchant, that may be best addressed by its PSP's. Its also a risky approach given that the rest of the SEPA zone will be "locked down" by SecuRE Pay - and fraudsters always gravitate to the weakest point.
iSignthis rolled out PCI DSS level 1 certified and PSD2 compliant Card Vaulting / Tokenisation to Coinify.com last month, using our patented payment instrument verification process.
If card vaulting is something that interests your organisation (be you a merchant or a PSP), then, please get in touch with us [email protected] to discuss how we can help.
Announcement URL: https://www.linkedin.com/pulse/card-vaulting-acquiring-side-tokenisation-john-karantzis?trk=hb_ntf_MEGAPHONE_ARTICLE_POST
About iSignthis:
Australian Securities and Frankfurt Stock Exchange listed iSignthis Ltd (ASX : ISX / FRA : TA8) is the only neobank focussed on making business banking simpler. We are the global leader in remote identity verification, payment authentication and payment processing to meet AML/CFT requirements. iSignthis provides an end-to-end on-boarding service for merchants, with unified deposit taking, IBAN accounts, payments, card acquiring and identity service via our Paydentity and ISXPay® solutions.
By converging payments and identity, iSignthis delivers regulatory compliance to an enhanced customer due diligence standard. We offer global reach to any of the world’s 4.2Bn ‘bank verified’ card or account holders, that can be remotely on-boarded to regulated merchants in as little as 3 to 5 minutes.
iSignthis is the trusted back office solution for regulated entities, allowing our customers to stay ahead of the regulatory curve and focus on growing their core business.
We are a principal of Visa, Mastercard, JCB, ChinaUnionPay and AMEX.
Go to Company Profile for: iSignthis
Announcement Contact: [email protected]