The Payment Services Directive is being revised and the European Commission is consulting on its successor, PSD2. Part of the focus of the revisions will be mobile payment services with the ultimate goal of addressing the peculiar security issues associated with mobile payments.
Although mobile payment is extremely user-friendly and has limited costs for consumers, the issue of security in payments made through mobile phones remains a sensitive one. This concern has recently been expressed by EU representatives who pointed out some flaws in the revision draft of the PSD.
In France the regulatory regime does not differentiate between mobile payment and other payment platforms and says that if they want to process payments, telecoms firms need to be licensed as a payment services provider and meet the same compliance burdens as any other company.
This is despite the fact that telecoms firms already have billing and credit systems in place and so are well suited to implement stringent security requirements.
The result is that m-payment is still governed by the same set of rules as e-payment, which is mostly done by card. This means that where m-payments are concerned there must be a telecoms operator and a payment service provider. This has resulted in higher costs for consumers and has created barriers to market entry for new providers of payment services such as telecoms operators.
The European Commission recognised, in a 2012 paper, that a thriving mobile payment market has been hindered by a complex and hard-to-read regulatory framework. It wants more competition for payment services and opportunities for telecoms operators are clear.
PSD2 will include provision for online banking based payment initiation services, which presents telecoms companies with an ideal opportunity. These services are offered by institutions or service providers which are not entrusted with the payer's or payee's funds but nonetheless take part in the payment process. They would be regulated through the PSD2 and would need a license to provide their services and would specifically be subject to reinforced security requirements.
Although the draft PSD2 does not specify this, this is an area well suited to telecoms operators. They would have a direct role in the transaction, thus increasing their profits on payment transactions, and would be a way to balance the investment they already have to make in customer security.
PSD2 imposes, as you would expect, stringent security standards on any payments processor. Companies will have to comply with the Network and Information Security Directive (NISD) requirements on data security; implement strong security mechanisms where cards are not present; be able to prove to authorities that security measures are in place, and report any data leak or unauthorised access to the authorities.
PSD2's security measures are under scrutiny, though. The European Data Protection Supervisor's office has said that data protection measures in the draft directive are inadequate, while the European Central Bank has said that both data protection measures and information security measures are not good enough. It has proposed the creation of a single standard interface between payment processors and banks and consumers.
The European Parliament is due to vote on the draft PSD2 on 2 April. Though details of the directive may change, its progress should be watched closely by telecoms operators because this regulatory framework might finally provide them with the payment processing opportunities that they have been wanted for a long time.
Diane Mullenex and Guillaume Bellmont are Paris-based technology and telecoms experts at Pinsent Masons, the law firm behind Out-Law.com