SEPABank StrategySEPA Security – Lessons Worth Learning from the Past

SEPA Security - Lessons Worth Learning from the Past

The introduction of the single euro payments area (SEPA) credit transfers in January this year was the first milestone towards SEPA and acted as an important first step along the road to full compliance by 2010. Little over four months since this achievement, however, financial institutions are already facing the next set of deadlines and projects to make full compliance a reality. While banks are naturally channelling their energies into becoming SEPA compliant so they are able to ‘tick the box’, they are currently underestimating the increased security risk that the new banking instruments present.

Beyond the ECB Framework

Although ‘security’ is a word that is uttered thousands of times a day by financial institutions trying to reduce fraud losses and improve customer perception, there is a growing concern that it is still not being fully discussed in relation to SEPA. A report by the European Central Bank (ECB) outlines how far the framework dictates the security requirements of SEPA, stating: “The European Payments Council (EPC) has taken primarily interbank security into account, but has not specified end-to-end security issues.” If customers are to have confidence in using the new framework, banks must begin to build on the requirements set out by the ECB and consider the end-to-end security of SEPA.

However, not all areas of SEPA security are being overlooked. Measures are already in place to secure corporate-to-bank, bank-to-CSM (clearing and settlement mechanism), and CSM-to-CSM SEPA transactions. The issue lies with consumers and small- and medium-sized enterprises (SMEs) that have largely not yet been taken into account. With over 318 million people in the eurozone, this is no small task.

Securing Millions of People

Arguably, the best protection for consumers and SMEs is the use of strong authentication credentials to ensure transactions are genuine before they are processed. To do this, the identity of the initiator must be authenticated. User names and passwords are simply not enough.

For consumers, it is difficult to conceive of a viable strong authentication scheme with a central issuer of credentials that is used by all, as there are just too many consumers involved. It is also contrary to the federal nature of the EU. In addition, such an approach does not reflect the business relationship, which is between consumer and bank, not between the consumer and a central authority.

Facing these challenges in a brand new environment, banks are currently finding it difficult to make an informed decision about how best to proceed with SEPA security. However, while many financial institutions are yet to implement a SEPA security strategy, the need to validate the identities of millions of individuals who are associated with thousands of different entities is not an unfamiliar prospect for UK financial institutions. Indeed, VocaLink, the automated clearing house employed by BACS Payment Schemes Limited (BACS), works to secure millions of BACS payments and can serve as an important example for financial institutions that are planning their response to the security threat of SEPA.

BACSTEL-IP: a Best Practice Example for SEPA Security

VocaLink is owned by the major UK clearing banks and currently serves over 100,000 companies, including all the FTSE 100. In order to process automated payments, VocaLink has to receive payment files from businesses. This transmission used to take place over telephone lines until BACSTEL-IP was developed by VocaLink and completed in 2005, on behalf of its principal customer BACS. BACSTEL-IP facilitates secure payment transmissions through Internet Protocol. Benefits from this include increased security for automated payments and a system that will support the growing volumes of payments in the UK. The customer migration to this new channel has offered businesses cost savings and more flexibility to incorporate new payment services in the future. But with such a prestigious reputation to protect, VocaLink had to put security at the centre of its plans.

The process

VocaLink chose a solution that uses digital signature validation to prove the identity of all users and protects all payment transactions from tampering or corruption. UK businesses have been issued with cryptographic smart cards by their banks. These cards contain digital certificates and keys, issued under a public key infrastructure (PKI), which are used to digitally sign all payment instructions, tying them to the signer and ensuring that they cannot be accidentally or deliberately altered.

Although simple in theory, the actual implementation of this security system faced a number of challenges, similar to SEPA. The sheer size and nature of the organisations involved made it seem a daunting task. Major requirements of the project included a scalable and flexible system to meet potential customer numbers of 100,000 users and over 100 million payment items per day. Perhaps the most complex component was that it had to interoperate with 12 banks, all of which had separate preferences for which PKI platform and smart cards they wished to use.

The challenge to create a security system for multiple parties was to provide the capability to support the simultaneous connection to multiple banks. As with the requirements for SEPA, the processing system for BACSTEL-IP has to respond to requests from different banks that adhere to different rules, while maintaining its high level of security. Eurozone banks can learn from the development of such a flexible authentication platform as a guide to how such a large-scale security project can be achieved.

Teamwork and testing

To ensure such a critical system was suitable for the challenge, specialist engineers worked with VocaLink to conduct testing for the smart card components, as well as a pre-production system. This allowed test data to be processed from end-to-end through the payment processing system.

With hard evidence that the project would succeed, the next challenge was to move beyond the testing phase and roll out a fully operable system to businesses around the UK. Customer education was of paramount importance and it was vital to the success of the project to ensure that all parties understood the capabilities of the authentication platform.

Benefits of BACSTEL-IP

The system today works smoothly with 12 banks, seven different public key infrastructure systems and numerous smart card manufacturers. The system can authenticate UK businesses as they access the system, trace all the transactions that have been made by any user and produce an audit trail for every transaction processed – also key requirements for the successful and secure implementation of SEPA.

The authentication platform enables banks to interoperate without having to compromise their freedom of choice over PKIs and smart card vendors. In time it will also deliver a greater rate of payment processing and cost savings for VocaLink. Finally, it has put VocaLink in a position to be able to offer new, innovative payment services to businesses in the UK and beyond into the eurozone to substantially improve the competitiveness of economies.

The Future for SEPA Security

The BACSTEL-IP project provides an example to eurozone countries that proves the complex nature of SEPA security is not insurmountable. Whatever authentication system is chosen for SEPA, there is no one size fits all. The authentication technology used must match the risk profile of the transaction. When it comes to consumers and SMEs, banks should support a range of authentication methods and applications with the flexibility to add on new services.

Despite the gradual deadlines for SEPA, complacency is not an option when it comes to security. Banks must begin to address this challenge now if they are to successfully and securely engage all potential users with the SEPA instruments.

Comments are closed.

Subscribe to get your daily business insights

Whitepapers & Resources

2021 Transaction Banking Services Survey
Banking

2021 Transaction Banking Services Survey

2y
CGI Transaction Banking Survey 2020

CGI Transaction Banking Survey 2020

4y
TIS Sanction Screening Survey Report
Payments

TIS Sanction Screening Survey Report

5y
Enhancing your strategic position: Digitalization in Treasury
Payments

Enhancing your strategic position: Digitalization in Treasury

5y
Netting: An Immersive Guide to Global Reconciliation

Netting: An Immersive Guide to Global Reconciliation

5y