November 20, 2013 - The European Central Bank has set out draft recommendations on mobile payments security, covering everything from customer authentication to data protection.
The 14 recommendations cover all payments in which mobiles are used to initiate a transaction, whether they are contactless, app-based or through mobile network operators' channels.
On the thorny issue of authentication, the draft says that all mobile payment service providers should protect transactions through strong (at least two-factor) authentication.
However, this is not set in stone and the possibility of allowing less stringent measures for low value payments and low-risk transactions such as those within the same payment service provider, is raised.
The ECB says that this would create a difference in security requirements compared with those for card-present payments, "which may be difficult to justify" but is now asking industry participants to chip in with their opinions.
Among the other draft recommendations is a limit to the number of incorrect log-in attempts a user gets, strong transaction monitoring mechanisms to spot fraud, data protection rules, and a requirement to log all transactions with an audit trail.
Interested parties now have until the end of January to comment before final recommendations are made which should be implemented by European mobile payment service providers by February 2017.