Oversight of payment instruments - The Banque de France's ... · ECB CONFERENCE. on E-payments in...

ECB CONFERENCEon E-payments in Europe

19 November 2002, Frankfurt

Oversight of payment instruments – The Banque de France’s approach1

EE--payments in Europepayments in Europe

Carlos MARTIN

Head of Division

Payment Systems Department

Non-cash Means of Payment Oversight Division

Banque de France

Oversight of payment instruments

The Banque de France’s approach

Verwendete Mac Distiller 5.0.x Joboptions

Dieser Report wurde automatisch mit Hilfe der Adobe Acrobat Distiller Erweiterung "Distiller Secrets v1.0.4" der IMPRESSED GmbH erstellt. Sie koennen diese Startup-Datei für die Distiller Versionen 4.0.5 und 5.0.x kostenlos unter http://www.impressed.de herunterladen. ALLGEMEIN ---------------------------------------- Dateioptionen: Kompatibilität: PDF 1.3 Für schnelle Web-Anzeige optimieren: Nein Piktogramme einbetten: Nein Seiten automatisch drehen: Nein Seiten von: 1 Seiten bis: Alle Seiten Bund: Links Auflösung: [ 2400 2400 ] dpi Papierformat: [ 595 842 ] Punkt KOMPRIMIERUNG ---------------------------------------- Farbbilder: Downsampling: Nein Komprimieren: Ja Automatische Bestimmung der Komprimierungsart: Ja JPEG-Qualität: << /VSamples [ 1 1 1 1 ] /HSamples [ 1 1 1 1 ] /Blend 1 /QFactor 0.25 /ColorTransform 1 >> Bitanzahl pro Pixel: Wie Original Bit Graustufenbilder: Downsampling: Nein Komprimieren: Ja Automatische Bestimmung der Komprimierungsart: Ja JPEG-Qualität: << /VSamples [ 1 1 1 1 ] /HSamples [ 1 1 1 1 ] /Blend 1 /QFactor 0.25 /ColorTransform 1 >> Bitanzahl pro Pixel: Wie Original Bit Schwarzweiß-Bilder: Downsampling: Nein Komprimieren: Ja Komprimierungsart: CCITT CCITT-Gruppe: 4 Graustufen glätten: Nein Text und Vektorgrafiken komprimieren: Ja SCHRIFTEN ---------------------------------------- Alle Schriften einbetten: Ja Untergruppen aller eingebetteten Schriften: Nein Wenn Einbetten fehlschlägt: Warnen und weiter Einbetten: Immer einbetten: [ ] Nie einbetten: [ ] FARBE(N) ---------------------------------------- Farbmanagement: Farbumrechnungsmethode: Farbe nicht ändern Methode: Standard Geräteabhängige Daten: Einstellungen für Überdrucken beibehalten: Ja Unterfarbreduktion und Schwarzaufbau beibehalten: Ja Transferfunktionen: Anwenden Rastereinstellungen beibehalten: Ja ERWEITERT ---------------------------------------- Optionen: Prolog/Epilog verwenden: Nein PostScript-Datei darf Einstellungen überschreiben: Nein Level 2 copypage-Semantik beibehalten: Ja Portable Job Ticket in PDF-Datei speichern: Nein Illustrator-Überdruckmodus: Ja Farbverläufe zu weichen Nuancen konvertieren: Ja ASCII-Format: Nein Document Structuring Conventions (DSC): DSC-Kommentare verarbeiten: Nein ANDERE ---------------------------------------- Distiller-Kern Version: 5000 ZIP-Komprimierung verwenden: Ja Optimierungen deaktivieren: Nein Bildspeicher: 524288 Byte Farbbilder glätten: Nein Graustufenbilder glätten: Nein Bilder (< 257 Farben) in indizierten Farbraum konvertieren: Ja sRGB ICC-Profil: sRGB IEC61966-2.1 ENDE DES REPORTS ---------------------------------------- IMPRESSED GmbH Bahrenfelder Chaussee 49 22761 Hamburg, Germany Tel. +49 40 897189-0 Fax +49 40 897189-71 Email: [email protected] Web: www.impressed.de

Adobe Acrobat Distiller 5.0.x Joboption Datei

<< /ColorSettingsFile () /LockDistillerParams true /DetectBlends true /DoThumbnails false /AntiAliasMonoImages false /MonoImageDownsampleType /Average /GrayImageDownsampleType /Average /MaxSubsetPct 100 /MonoImageFilter /CCITTFaxEncode /ColorImageDownsampleThreshold 1.5 /GrayImageFilter /DCTEncode /ColorConversionStrategy /LeaveColorUnchanged /CalGrayProfile (Gray Gamma 2.2) /ColorImageResolution 72 /UsePrologue false /MonoImageResolution 300 /ColorImageDepth -1 /sRGBProfile (sRGB IEC61966-2.1) /PreserveOverprintSettings true /CompatibilityLevel 1.3 /UCRandBGInfo /Preserve /EmitDSCWarnings false /CreateJobTicket false /DownsampleMonoImages false /DownsampleColorImages false /MonoImageDict << /K -1 >> /ColorImageDownsampleType /Average /GrayImageDict << /HSamples [ 2 1 1 2 ] /VSamples [ 2 1 1 2 ] /Blend 1 /QFactor 0.9 >> /CalCMYKProfile (U.S. Web Coated (SWOP) v2) /ParseDSCComments false /PreserveEPSInfo false /MonoImageDepth -1 /AutoFilterGrayImages true /SubsetFonts false /GrayACSImageDict << /VSamples [ 1 1 1 1 ] /HSamples [ 1 1 1 1 ] /Blend 1 /QFactor 0.25 /ColorTransform 1 >> /ColorImageFilter /DCTEncode /AutoRotatePages /None /PreserveCopyPage true /EncodeMonoImages true /ASCII85EncodePages false /PreserveOPIComments false /NeverEmbed [ ] /ColorImageDict << /HSamples [ 2 1 1 2 ] /VSamples [ 2 1 1 2 ] /Blend 1 /QFactor 0.9 >> /AntiAliasGrayImages false /GrayImageDepth -1 /CannotEmbedFontPolicy /Warning /EndPage -1 /TransferFunctionInfo /Apply /CalRGBProfile (sRGB IEC61966-2.1) /EncodeColorImages true /EncodeGrayImages true /ColorACSImageDict << /VSamples [ 1 1 1 1 ] /HSamples [ 1 1 1 1 ] /Blend 1 /QFactor 0.25 /ColorTransform 1 >> /Optimize false /ParseDSCCommentsForDocInfo false /GrayImageDownsampleThreshold 1.5 /MonoImageDownsampleThreshold 1.5 /AutoPositionEPSFiles false /GrayImageResolution 72 /AutoFilterColorImages true /AlwaysEmbed [ ] /ImageMemory 524288 /OPM 1 /DefaultRenderingIntent /Default /EmbedAllFonts true /Start /DownsampleGrayImages false /AntiAliasColorImages false /ConvertImagesToIndexed true /PreserveHalftoneInfo true /CompressPages true /Binding /Left >> setdistillerparams << /PageSize [ 595.276 841.890 ] /HWResolution [ 2400 2400 ] >> setpagedevice




AgendaAgenda

Oversight Role

– Rationale

– Modus Operandi

Means of payment in France

Examples

Oversight role : rationale Oversight role : rationale

Maintaining public confidence in payment

instruments and at the end in currency

Role of payment instruments in the safe and

efficient functioning of payment systems

Statutory responsibility

– The “Everyday Security” Act

» Article L141-4 of Financial and Monetary Code was amended as

follow : « The Banque de France shall ensure the security of means of

payment, as defined in Article L311-3, ... and the suitability of the

relevant standards »

– The Banque de France is responsible for the security of means

of Payment




Oversight role : modus operandiOversight role : modus operandi

Principles

Transparency

Level playing field

Co-operation with the issuer

Coordination with Central Banks of the Eurosystem

Oversight role : modus operandiOversight role : modus operandi

Methodology

Analysis the threats

Definition of security standards

Monitoring of compliance

Enforcement




Means of payment in FranceMeans of payment in France

Scope

– Cheques

– Bills of exchange

– Credits transfers

– Directs debits

– Card payments (CB, Amex, …)

– Electronic purse

– Internet payment (On line communication of card number,

virtual card number, P2P, virtual purse, …)

– Mobile payment (Vocal kiosks, SMS, mobile PKI and

electronic signature initiatives, …)

Means of payment in FranceMeans of payment in France

Truncated cheques

Credit Transfers

Cards transactions (payments + ATM withdrawals)

Others

Bills of exchange

Direct Debits

Figures for September 2002

385 million euros

Credit transfers

33%Bills of exchange

10%Direct debit

7%

Others

3%

Cards transactions

4%

Truncated cheques

43%

886 million operations

Others

1%Direct debit

13%

Bills of exchange

1%

Debit transfers

15%

Truncated chequ

31%Cards transactions

(payment +

withdrawals)

39%




Examples : Electronic purseExamples : Electronic purse

Electronic purse : Electronic purse : MoneoMoneo

Consumer Merchant

BankBank

SFPMEI

Payment

Monitoring Information

acquiringloading

Monitoring information

refund




Electronic purse : Evaluation ProcessElectronic purse : Evaluation Process

Principles

– Security requirements

» Use of ISO/IEC 15408 (Common Criteria)

» Drafted in a generic way (Protection Profile)

– Verification process

» For smartcard product : IT French evaluation and

certification scheme to validate the security level

» For the system : the process is under definition

Electronic purse : Evaluation ProcessElectronic purse : Evaluation Process

Current situation

– Security profiles

» e-Purse and Purchase device PPs (for pilot and roll-out)

» e-Purse system

– Security certification is part of SFPMEI licensing

program

– All the e-purse and purchase device used in the

Moneo scheme are certified (EAL4+)

– A first compliance check for the overall Moneo

scheme was done by SFPMEI before roll-out




Examples : Internet PaymentExamples : Internet Payment

Analysis conducted in the framework of the

e-Economy Initiative of the French Ministry of

Economy, Finance and Industry

Objective

– Introduce the highest possible level of technical

security economically viable

Internet Payment : Fraud Internet Payment : Fraud

Potentially high risk of fraud

– Open network, “virtual” users, high speed with which the attacks

can be propagated, ...

Major vulnerabilities

– Verification of the identity of parties involved

– Protection of customer’s personal computer

User protection et information

– Unsuitable

Disparate level of security

– Between no security (transmission card number) to high security

level (payment using smartcard technology)




Internet Payment : recommendationsInternet Payment : recommendations

Security Profiles

– For each category of payment means

– Should take into account their nature and potential uses

– Should serve as a guide for each step of the life cycle of

means of payment

– Could take different forms

– Compliance with the Common criteria standard

Security Label

– Visible and understandable by consumers

– Based on security profiles

– to be developed and awarded by trade organisations


Security verification processes

– Independent verification, recognised competence

– Review

» Questionnaires, documentation (internal reports, audits),

penetration testing

– Evaluation

» Co-operation with the French evaluation and certification scheme

» ISO/IEC 15408 (Common Criteria)





Need for a secure dialogue

Strong and mutual Authentication

» Need to avoid transmitting authentication data over the network

» Use of the “challenge response” technique

» Development of PKI : Set up of a “root” registration authority to

verify the identity for the purpose of generating an identity

certificate

Data Confidentiality

» during the transactions

» storage (server, PC, …)

Data Integrity, Replay Prevention of transactions,

Non repudiation of transactions

?


Improvement of user protection

Suitability, quality and user friendliness of

provided products (hardware or software)

Relevant information, easily accessible and

simple

Minimum security rules to comply with

» Sensitive data storage, virus protection, …




Examples : OnExamples : On--line Bankingline Banking

Definition of a protection profile for Internet

Banking in co-operation with the French

banks

A generic description of the Internet banking

system

A system approach

A dedicated assurance level

Examples : Examples : ChequesCheques

Exchange of truncated cheques

Compliance with cheques regulation

Definition of security requirements for the

cheques process in cooperation with the

French banks

Banks are in charge of the verification process

An annual evaluation report will be sent to

Banque de France




ConclusionConclusion

Role of Central Banks : support efforts to

strengthen security to maintain consumer

confidence

Oversight of payment instruments - The Banque de France's ... · ECB CONFERENCE. on E-payments in...

Documents

Transcript of Oversight of payment instruments - The Banque de France's ... · ECB CONFERENCE. on E-payments in...