Abstract
Kasiyanto discusses how the security issues of m-payments and Bitcoin as new forms of innovative payments challenge the existing EU regulatory frameworks, and whether the proposed regulatory frameworks suffice to address such challenges. The regulatory frameworks Kasiyanto discusses mainly focus on the EU Payment Services Directive and the proposed changes of the directive. To some extent, it also touches upon the proposed directive on network and information security. Firstly, security issues of both systems are scrutinized to highlight their vulnerabilities. Secondly, the existing regulatory frameworks are assessed as to whether they suffice to address the challenges brought by the security vulnerabilities of both systems. Lastly, a final assessment is conducted to seek whether the proposed changes to the frameworks are adequate to address such challenges.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Innovative payments are part of electronic payments that, according to Moody’s analysis, contribute to the increase of GDP by 0.8 % for developing countries and 0.3 % for developed countries. See details in Moody’s: Moody’s Analytics: The Impact of Electronic Payments on Economic Growth (2013). https://usa.visa.com/dam/VCOM/download/corporate/media/moodys-economy-white-paper-feb-2013.pdf.
- 2.
See for instance Key Pousttchi and Dietmar G. Wiedemann, “What Influences Consumers’ Intention to Use Mobile Payments”, Mobile Communications Working Group, University of Augsburg (2007) http://www.marshall.usc.edu/assets/025/7534.pdf.
- 3.
Changsu Kim, Wang Tao, Namchul Shin, and Ki-Soo Kim, “An empirical study of customers’ perceptions of security and trust in e-payment systems”, Electronic Commerce Research and Applications 9, no. 1 (2010): 84–95.
- 4.
See for instance Visa Europe Risk Management, “Secure Mobile Payment Systems, Recommendations for Building, Managing and Deploying”, Visa Europe (2014). http://www.tuxedomoneysolutions.com/insights/research/2014/07/secure-mobile-payments/.
- 5.
See International Finance Corporation (IFC), “Mobile Money Study: Summary Report”, 2011, Washington DC.
- 6.
Visa Europe Risk Management, “Secure Mobile Payment Systems”, 5.
- 7.
In this context, Payment Services Directive (PSD): OJ L 319/1, 5 December 2007.
- 8.
Proposal for the revision of the Payment Services Directive (proposal for the PSD2), 24 July 2013 COM (2013) 547 final.
- 9.
Catherine Linck, Key Pousttchi, and Dietmar Georg Wiedemann, “Security Issues in Mobile Payment from the Customer Viewpoint” (2006). https://mpra.ub.uni-muenchen.de/2923/1/.
- 10.
For this, the World Bank provides an excellent elaboration. See Pierre-Laurent Chatain, “Integrity in Mobile Phone Financial Services, Measures for Mitigating Risks from Money Laundering and Terrorist Financing”, The World Bank Working Paper No. 146. Washington DC (2008).
- 11.
See for instance Amir Herzberg, “Payments and Banking with Mobile Personal Devices”, Communications of the ACM 46, no. 5 (2003): 53–58.
- 12.
Niina Mallat, “Exploring Consumer Adoption of Mobile Payments – A qualitative Study”, Journal of Strategic Information Systems 16 (2007): 413–432.
- 13.
Safari Kasiyanto, “Moving Forward, Bringing Bitcoin into the Mainstream” (Forthcoming).
- 14.
European Payment Council. Summer Reading: Results of Latest EPC Poll Reveal that Instant Payments are Most Likely Trigger the Next Wave of Innovation (blog). 7 August 2015.
- 15.
OJ L 319/1, 5 December 2007.
- 16.
European Central Bank. “Recommendations for the Security of Mobile Payments, Draft Document for Public Consultations” (2013). https://www.ecb.europa.eu/paym/cons/pdf/131120/recommendationsforthesecurityofmobilepaymentsdraftpc201311en.pdf?7f9004f1cbbec932447c1db2c84fc4e9.
- 17.
Under the same group as the internet payments.
- 18.
See European Payments Council. “Overview Mobile Payments Initiatives.” EPC091-14. Version 2.0. 2014.
- 19.
On the one hand, a mobile phone has functions for communication, and on the other hand it serves as a payment device to initiate transactions. See for instance Information Systems Audit and Control Association (ISACA). “Mobile Payments: Risk, Security and Assurance Issues.” An ISACA Emerging Technology White Paper. November 2011. http://www.isaca.org/groups/professional-english/pci-compliance/groupdocuments/mobilepaymentswp.pdf.
- 20.
As highlighted by ECB, Recommendations for Mobile Payments.
- 21.
See for instance Vanessa Pegueros. “Security of Mobile Banking and Payments.” SANS Institute InfoSec Reading Room (2012). https://www.sans.org/reading-room/whitepapers/ecommerce/security-mobile-banking-payments-34062.
- 22.
Ibid, 12–14.
- 23.
Consumerreports.org. “3.1 Million Smart Phones Were Stolen In 2013, Nearly Double the Year Before.” http://pressroom.consumerreports.org/pressroom/2014/04/my-entry-1.html. 17 April 2014.
- 24.
See https://www.lookout.com/. Last accessed on 29 November 2015.
- 25.
See Lookout, Inc. “Phone Theft in America.” https://www.lookout.com/resources/reports/phone-theft-in-america. Last accessed on 29 November 2015.
- 26.
Edward C. Clarkson, Shwetak N. Patel, Jeffrey S. Pierce, and Gregory D. Abowd, “Exploring Continuous Pressure Input for Mobile Phones” (2006) ftp://coffeetalk.cc.gatech.edu/pub/gvu/tr/2006/06-20.pdf.
- 27.
Murugiah Souppaya and Karen Scarfone, “Guidelines for Managing the Security of Mobile Devices in the Enterprise”, NIST Special Publication 800, (2013):124.
- 28.
https://www.alcatel-lucent.com/about. Last accessed on 29 November 2015.
- 29.
See Leon Spencer, “16 Million Mobile Devices Hit by Malware in 2014: Alcatel-Lucent”, Available at http://www.zdnet.com/article/16-million-mobile-devices-hit-by-malware-in-2014-alcatel-lucent/.
- 30.
http://home.mcafee.com/advicecenter/?id=ad_ms_wimm&ctst=1. Last accessed on 29 November 2015.
- 31.
Suhas Desai, “Mobile Payment Services: Security Risks, Trends and Countermeasures”, RSA Conference 2014. Asia Pacific & Japan (2014) http://www.rsaconference.com/events/ap14/agenda/sessions/1447/mobile-payment-services-security-risks-trends-and.
- 32.
ECB, Recommendations for Mobile Payments, November 2013. https://www.ecb.europa.eu/paym/cons/pdf/131120/recommendationsforthesecurityofmobilepaymentsdraftpc201311en.pdf?7f9004f1cbbec932447c1db2c84fc4e9.
- 33.
Desai, Mobile Payment Services, p. 8.
- 34.
See Ibid, 21.
- 35.
Rob Wile, “One of Bitcoin’s Strongest Backers Reveals the Two Big Reasons Why It’s Still Not Mainstream.” 20 July 2014. http://www.businessinsider.com/fred-wilson-on-bitcoin-2014-7?IR=T.
- 36.
Ibid.
- 37.
Kasiyanto, Moving Forward.
- 38.
Jeff Desjardins, “How Secure are Bitcoins?”, Visual Capitalist. www.visualcapitalist.com/secure-bitcoins/ 13 August 2014.
- 39.
Meni Rosenfeld, “Analysis of hash-rate-based double-spending”, Latest version: 13 December 2012. https://bitcoil.co.il/Doublespend.pdf.
- 40.
See Satoshi Nakamoto, “Bitcoin: A peer-to-peer Electronic Cash System”, Consulted 1.2012 (2008).
- 41.
For a good discussion on this, see for instance Emin Gun Sirer. “What Did Not Happen at Mt. Gox.” 1 March 2014. http://hackingdistributed.com/2014/03/01/what-did-not-happen-at-mtgox/.
- 42.
https://www.khanacademy.org/economics-finance-domain/core-finance/money-and-banking/bitcoin/v/bitcoin-security-of-transaction-block-chains, last accessed on 28 October 2015.
- 43.
Jonas Borchgrevink, “Warning: GHash.IO is Nearing 51 % – Leave the Pool”, Crypto Coins News. 9 January, 2014. https://www.cryptocoinsnews.com/warning-ghash-io-nearing-51-leave-pool/.
- 44.
Vulnerability in UPnP library used by Bitcoin Core, 12 October 2015. https://bitcoin.org/en/alert/2015-10-12-upnp-vulnerability.
- 45.
TALOS Vulnerability Report. “MiniUPNP Internet Gateway Device Protocol XML Parser Buffer Overflow.” TALOS-2015-0035. 15 September 2015. http://talosintel.com/reports/TALOS-2015-0035/
- 46.
The term of “supporting system” does not need to be interpreted literally. It is a general term used to make the analysis easier.
- 47.
“In every chain of reasoning, the evidence of the last conclusion can be no greater than that of the weakest link of the chain, whatever may be the strength of the rest.” Reid, Thomas. Essays on the Intellectual Powers of Man (1786) as in http://www.phrases.org.uk/meanings/the-weakest-link.html.
- 48.
Desjardins, How Secure are Bitcoins?, on 13 August 2014, http://www.visualcapitalist.com/secure-bitcoins/.
- 49.
- 50.
Securing your wallet, Be careful with online services. https://bitcoin.org/en/secure-your-wallet. Last accessed on 28 October 2015.
- 51.
http://www.theguardian.com/technology/2015/aug/01/ex-boss-of-mtgox-bitcoin-exchange-arrested-in-japan-over-lost-480m. Last accessed on 30 November 2015.
- 52.
For an insight, see Sirer, What Did Not Happen. See also https://winklevosscapital.com/what-may-have-happened-at-mt-gox/, http://www.hackingdaily.com/2014/02/mtgox-speculations.html, and https://www.reddit.com/r/Bitcoin/comments/1z8fmc/mtgox_private_key_related_coin_loss_a_explanation/. Last accessed on 30 November 2015.
- 53.
Proposal for PSD2, paragraph 6 of the preamble, 14.
- 54.
Here Bitcoin is treated as a payment system instrument. For discussion as to whether Bitcoin meets the characteristics and requirements of payment instruments, see Safari Kasiyanto, “Regulating Peer-to-peer Network Currency: Lessons from Napster and Payment Systems”, Journal of Law, Technology and Public Policy 1(2) (2015): 40–73.
- 55.
Proposal for PSD2, paragraph 6 of the preamble, 14.
- 56.
Proposal for PSD2, paragraph 7 of preamble, 15.
- 57.
EPC, Overview Mobile Payments Initiatives, 21, 25.
- 58.
Converting back the ‘electronic’ money into the real currency.
- 59.
Chapter 4 of the PSD on Data Protection.
- 60.
See Ayden, “Over 27 % of global online transactions are now on mobile devices”, 30 April 2015. Available at https://www.adyen.com/home/about-adyen/press-releases/mobile-payments-index-april-2015. Last accessed on 17 November 2015.
- 61.
Wile, One of Bitcoin’s Strongest Backers Reveals.
- 62.
Directive 2009/110/EC, OJ L 267/7. 10 October 2009.
- 63.
See European Central Bank, “Virtual Currency Schemes”, 2012. In this report, ECB eloquently elaborates the rise of virtual currencies and uses Bitcoin as one of the case studies. It concludes that the peer-to-peer crypto system falls beyond directive on e-money and the PSD.
- 64.
This illustration is generated from that of Cameron Winklevoss. “What May Have Happened at Mt.Gox.” https://winklevosscapital.com/what-may-have-happened-at-mt-gox/. Last accessed on 30 November 2015.
- 65.
See Ken Shirriff. “The Bitcoin malleability attack graphed hour by hour.” http://www.righto.com/2014/02/the-bitcoin-malleability-attack-hour-by.html. Last accessed on 30 November 2015.
- 66.
ECB, Recommendations for Mobile Payments.
- 67.
A cooperation initiated between the relevant authorities in payment systems within the European Economic Area, established in 2011, with objectives of sharing, understanding and facilitating platforms regarding the security issues of electronic retail payment systems. If necessary, this forum may issue any recommendation on the subject matter. See ECB. “Mandate of the European Forum on the Security of Retail Payments.” October 2014.
- 68.
See EPC Newsletter. “EPC Comments on the Draft Recommendation for the Security of Mobile Payments Developed by the European Forum on Security of Retail Payments.” 29 April 2014.
- 69.
Ibid.
- 70.
See IFC, Mobile Money Report.
- 71.
Under directive 2009/110/EC on e-money.
- 72.
Beside these four entities, there are actually two other entities covered under the proposal, namely the central banks (the European Central Bank and the national central banks) and member states when not acting as public authorities. However, these entities are less relevant to this chapter.
- 73.
Proposal for a directive on the subject matter: COM (2013) 48 final, 2013/0027 (COD) (7 February 2013).
- 74.
Under article 3(1) (b) and (c) of the proposed NIS directive.
- 75.
Under article 1(1) of the proposed NIS directive.
- 76.
Article 14(1) of the proposed NIS directive.
- 77.
Article 14(2) of the proposed NIS directive.
- 78.
See Annex II of the proposed NIS directive. E-commerce platforms are explicitly mentioned as one of service provider designated under the proposed regulation.
References
Bolt, W. (2012). Retail payment systems: Competition, innovation, and implications. De Nederlandsche Bank Working Paper No. 362 / December 2012.
Borchgrevink, J. (2014). Warning: GHash.IO is nearing 51 % – Leave the pool. Crypto Coins News. Reterived January 9, 2014 from https://www.cryptocoinsnews.com/warning-ghash-io-nearing-51-leave-pool/
Camenisch, J. L., Piveteau, J.-M., & Stadler, M. A. (1994). Security in electronic payment systems. Institute for Theoretical Computer Science, ETH Zurich. Available at http://www.ubilab.org/publications/print_versions/pdf/piv94b.pdf.
Chatain, P.-L. (2008). Integrity in mobile phone financial services, measures for mitigating Risks from money laundering and terrorist financing. The World Bank Working Paper No. 146. Washington DC.
Clarkson, E. C., Patel, S. N., Pierce, J. S., & Abowd, G. D. (2006). Exploring continuous pressure input for mobile phones. Georgia Institute of Technology, available at https://smartech.gatech.edu/bitstream/handle/1853/13138/06-20.pdf, last accessed on 28 April 2016
Desai, S. (2014). Mobile payment services: Security risks, trends and countermeasures. RSA Conference 2014, Asia Pacific & Japan.
Desjardins, J. (2014). How secure are bitcoins? Visual Capitalist. Reterived August 13, 2014, from www.visualcapitalist.com/secure-bitcoins/
European Central Bank. (2014). Mandate of the European Forum on the Security of Retail Payments. October 2014. Available at https://www.ecb.europa.eu/pub/pdf/other/mandateeuropeanforumsecurityretailpayments201410.en.pdf.
European Central Bank. (2013). Recommendations for the security of mobile payments, draft document for public consultations. Reterived 2013, from https://www.ecb.europa.eu/paym/cons/pdf/131120/recommendationsforthesecurityofmobilepaymentsdraftpc201311en.pdf?7f9004f1cbbec932447c1db2c84fc4e9
European Central Bank. (2012). Virtual currency schemes. Available at https://www.ecb.europa.eu/pub/pdf/other/virtualcurrencyschemes201210en.pdf.
European Payments Council Newsletter. (2014). EPC comments on the draft recommendation for the security of mobile payments developed by the European Forum on Security of Retail Payments. April 29, 2014. Available at https://www.ecb.europa.eu/pub/pdf/other/mandateeuropeanforumsecurityretailpayments201410.en.pdf.
European Payments Council. (2014). Overview mobile payments initiatives. EPC091-14. Version 2.0. 2014.
European Commission, Directorate-General for Research and Innovation. (2013). Final report from the expert group on retail sector innovation. Reterived October 30, 2013, from http://ec.europa.eu/research/innovation-union/pdf/Report_from_EG_on_Retail_Sector_Innovation_A4_FINAL_2.pdf
European Payment Council. (2015). Summer reading: Results of latest EPC poll reveal that instant payments are most likely trigger the next wave of innovation (blog). August 07, 2015.
Herzberg, A. (2003). Payments and banking with mobile personal devices. Communications of the ACM, 46(5), 53–58 Chicago.
Information Systems Audit and Control Association (ISACA). (2011)._ Mobile payments: Risk, security and assurance issues. An ISACA Emerging Technology White Paper. Reterived November 2011, from http://www.isaca.org/groups/professional-english/pci-compliance/groupdocuments/mobilepaymentswp.pdf
International Finance Corporation (IFC). (2011). Mobile money study: Summary report. Available at http://www.ifc.org/wps/wcm/connect/fad057004a052eb88b23ffdd29332b51/MobileMoneyReport-Summary.pdf?MOD=AJPERES.
Kasiyanto S. (2016). Bitcoin’s Potential for Going Manistream. Journal of Payments Strategy & Systems, Vol. 10(1), 28-39. March 2016.
Kasiyanto, S. (2015). Regulating peer-to-peer network currency: Lessons from Napster and payment systems. Journal of Law, Technology and Public Policy, 1(2), 40–73.
Kim, C., Tao, W., Shin, N., & Kim, K.-S. (2010). An empirical study of customers’ perceptions of security and trust in e-payment systems. Electronic Commerce Research and Applications, 9(1), 84–95.
Linck, K., Pousttchi, K., & Wiedemann, D. G. (2006). Security issues in mobile payment from the customer viewpoint. MPRA Paper No. 2923. Available at http://mpra.ub.uni-muenchen.de/2923/.
Mallat, N. (2007). Exploring consumer adoption of mobile payments – A qualitative study. Journal of Strategic Information Systems, 16, 413–432.
Moody’s. (2013). Moody’s analytics: The impact of electronic payments on economic growth. Available at https://usa.visa.com/dam/VCOM/download/corporate/media/moodys-economy-white-paper-feb-2013.pdf.
Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system. Consulted 1.2012.
Ondrus, J., & Pigneur, Y. (2009). Near field communication: An assessment for future payment systems. Information Systems and E-Business Management, 7(3), 347–361.
Payment System Directive. What it means for consumers. Available at http://ec.europa.eu/internal_market/payments/docs/framework/psd_consumers/psd_en.pdf
Payment System Directive. (2007) Commission encourages swift and coherent implementation at national level, press release IP/07/1914. Reterived December 12, 2007, from http://europa.eu/rapid/press-release_IP-07-1914_en.htm?locale=en
Pegueros, V. (2012). Security of mobile banking and payments. SANS Institute InfoSec Reading Room. Available at https://www.sans.org/reading-room/whitepapers/ecommerce/security-mobile-banking-payments-34062.
Pousttchi, K., & Wiedemann, D. G. (2007). What influences consumers’ intention to use mobile payments. Mobile Communications Working Group, University of Augsburg. Reterived from http://www.marshall.usc.edu/assets/025/7534.pdf
Rode, L. (2006). Database security breach notification statutes: Does placing the responsibility on the true victim increase data security. Houston Law Review, 43, 1597.
Rosenfeld, M. (2012). Analysis of hash-rate-based double-spending. Latest version: December 13, 2012. Available at https://bitcoil.co.il/Doublespend.pdf
Schmiedel, H., Kostova, G. L., & Ruttenberg, W. (2012). The social and private costs of retail payment instruments: A European perspective. ECB Occasional Paper 137.
Schoenmakers, B. (1997). Basic security of the e-cash payment system. Computer security and industrial cryptography: State of the art and evolution, LNCS series. In B. Preneel and V. Rijmen (eds.) State of the Art in Applied Cryptography, Course on Computer Security and Industrial Cryptography, Leuven, Belgium, June 3–6, 1997, vol. 1528 of Lecture Notes in Computer Science, pp. 338–352. Springer-Verlag.
Sirer, E. G. (2014). What did not happen at Mt. Gox. March 01, 2014. Available online at http://hackingdistributed.com/2014/03/01/what-did-not-happen-at-mtgox/.
Souppaya, M., & Scarfone, K. (2013). Guidelines for managing the security of mobile devices in the enterprise. NIST Special Publication, 800.
Sullivan, R. J. (2014). Controlling security risk and fraud in payment systems. Federal Reserve Bank of Kansas City, Economic Review, 99(3), 47–78.
TALOS Vulnerability Report. (2015). MiniUPNP internet gateway device protocol XML parser buffer overflow. Reterived September 15, 2015, from TALOS-2015-0035. http://talosintel.com/reports/TALOS-2015-0035/
Turban, E., & Brahm, J. (2000). Smart card-based electronic card payment systems in the transportation industry. Journal of Organizational Computing and Electronic Commerce, 10(4), 281–293.
Visa Europe Risk Management. (2014). Secure mobile payment systems, recommendations for building, managing and deploying. Visa Europe.
Winklevoss, C. What may have happened at Mt.Gox. Reterived from https://winklevosscapital.com/what-may-have-happened-at-mt-gox/
Wile, R. (2014). One of Bitcoin’s strongest backers reveals the two big reasons why it’s still not mainstream. Reterived July 20, 2014, from http://www.businessinsider.com/fred-wilson-on-bitcoin-2014-7?IR=T
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Copyright information
© 2016 The Editor(s) (if applicable) and The Author(s)
About this chapter
Cite this chapter
Kasiyanto, S. (2016). Security Issues of New Innovative Payments and Their Regulatory Challenges. In: Gimigliano, G. (eds) Bitcoin and Mobile Payments . Palgrave Studies in Financial Services Technology. Palgrave Macmillan, London. https://doi.org/10.1057/978-1-137-57512-8_7
Download citation
DOI: https://doi.org/10.1057/978-1-137-57512-8_7
Published:
Publisher Name: Palgrave Macmillan, London
Print ISBN: 978-1-137-57511-1
Online ISBN: 978-1-137-57512-8
eBook Packages: Economics and FinanceEconomics and Finance (R0)