Thales Blog

SEPA Security – Time To Take Action

June 24, 2009

Although security is constantly high on financial institutions’ agendas, there is a growing concern that it is still not being fully discussed in relation to SEPA. A report by the ECB outlines how far the framework dictates SEPA security requirements, stating: “the EPC (European Payments Council) has taken primarily interbank security into account, but has not specified end-to-end security issues” (1). If customers are to have confidence in using the new framework, banks must begin to build further on the requirements set out by the ECB and consider the end-to-end security of SEPA.

Measures are already in place to secure corporate-to-bank, bank-to-CSM (Clearing and Settlement Mechanism), and CSM-to-CSM SEPA transactions. The issue lies with consumers and SMEs who have largely not yet been taken into account. With over 318 million people in the euro zone, this is no small task.

Arguably, the best protection for consumers and SMEs is the use of strong authentication credentials to ensure transactions are genuine before they are processed. For consumers, it is difficult to conceive of a viable strong authentication scheme with a central issuer of credentials for all, as the population is too large. It is also contrary to the federal nature of the EU. In addition, such an approach does not reflect the business relationship, which is between consumer and bank, and not between the consumer and a central authority.

In the face of these challenges, banks are currently finding it difficult to make an informed decision about how to proceed with SEPA security. However, whilst many financial institutions are yet to implement a SEPA security strategy, the need to validate the identities of millions of individuals who are associated with thousands of different entities is not an unfamiliar prospect for UK financial institutions. Indeed, VocaLink, the automated clearing house employed by BACS Payment Schemes Limited, works to secure millions of BACS payments every day and can serve as an important example for financial institutions planning security for SEPA.

BACSTEL-IP uses digital signature validation to prove the identity of users and protects payment transactions from corruption or being tampered with. UK businesses have been issued with cryptographic smart cards by their banks. These cards contain digital certificates and keys, issued under a Public Key Infrastructure (PKI), which are used to digitally sign all payment instructions, tying them to the signer and ensuring that they cannot be accidentally or deliberately altered.

Major requirements of the project included a scalable and flexible system to meet potential customer numbers of 100,000 and over 100 million payment items per day. Perhaps most complex of all, it had to interoperate with 12 banks, which all had separate security preferences. Euro zone banks should use this project as a best practice guide to successfully implementing large scale and flexible authentication platforms.

(1) European Payments Council, Single Euro Payments Area: From Concept to Reality