Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Erschienen in:
An Introduction to Fingerprint Presentation Attack Detection Kapitel lesen Erstes Kapitel lesen

2019 | OriginalPaper | Buchkapitel

21. A Legal Perspective on the Relevance of Biometric Presentation Attack Detection (PAD) for Payment Services Under PSDII and the GDPR

verfasst von : Els J. Kindt

Erschienen in: Handbook of Biometric Anti-Spoofing

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Payment applications turn in mass to biometric solutions to authenticate the rightful users of payment services offered electronically. This is due to the new regulatory landscape which puts considerable emphasis on the need of enhanced security for all payment services offered via internet or via other at-distance channels to guarantee the safe authentication and to reduce fraud to the maximum extent possible. The Payment Services Directive (EU) 2015/2366 (PSDII) which applies as of 13 January 2018 in the Member States introduced the concept of strong customer authentication and refers to ‘something the user is’ as authentication element. This chapter analyses this requirement of strong customer authentication for payment services offered electronically and the role of automated biometric presentation attack detection (PAD) as a security measure. PAD measures aid biometric (authentication) technology to recognize persons presenting biometric characteristics as friends or foes. We find that while PSDII remains vague about any obligation to use PAD as a specific security feature for biometric characteristics’s use for authentication, PAD re-enters the scene through the backdoor of the General Data Protection Regulation (EU) 2016/679.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren
Vorheriges Kapitel Evaluation Methodologies for Biometric Presentation Attack Detection
Nächstes Kapitel Standards for Biometric Presentation Attack Detection
Fußnoten
1
See S. Clark, ‘Mastercard to add biometric security to online transactions in Europe’, 23. 1. 2018, available at https://​www.​nfcworld.​com/​technology/​eu-payment-services-directive-ii-psd2/​.
 
2
Several kinds of information may hereby be falsified, such as a phone number someone is calling from, a URL for setting up a fraudulent website, but also an email address to mislead about the sender, etc.
 
3
A sensor is also known as ‘data capture subsystems’. The reason of such submission to a sensor is to be authenticated, e.g. at the border or for an electronic payment.
 
4
About Presentation Attack, see also Ch. Busch e.a., What is a Presentation Attack ? And how do we detect it ?, 16. 1. 2018, Tel Aviv, also available at http://​www.​christoph-busch.​de/​about-talks-slides.​html About standards for analyzing the effectiveness of direct attacks, countermeasures and more robust biometrics, see also the results of Tabula Rasa, a 7th framework research project funded by the EU Commission, at http://​www.​tabularasa-euproject.​org and the results of the 7th Framework funded Biometrics Evaluation and Testing (BEAT) project in particular J. Galbally, J. Fierrez, A. Merle, L. Merrien and B. Leidner, D4.6, Description of Metrics for the Evaluation of Vulnerabilities to Indirect Attacks, BEAT, 27. 2. 2013, available at https://​www.​beat-eu.​org/​project/​deliverables-public/​d4.​6-description-of-metrics-for-the-evaluation-of-vulnerabilities-to-indirect-attacks/​view.
 
5
Our analysis does not include the eIDAS Regulation to the extent relevant.
 
6
Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, O.J., 23. 12. 2015, L 337/35 (‘PSDII’).
 
7
About PSDII, see e.g. Ch. Riefa, ‘Directive 2009/110/EC on the taking up, pursuit and prudential supervision of the business of electronic money institutions and Directive 2015/2366/EU on the control of electronic payments in the EU’, in A. Lodder and A. Murray (eds.), EU Regulation of e-Commerce, Cheltenham, E. Elgar, 2017, 146–176.
 
8
These companies are not necessarily engaged in payment operations. They could, e.g. merely combine and present information of different banking accounts to customers.
 
9
For example, account information services (AIS), allowing customers and businesses to have a global view on their financial situation, for instance, by enabling consumers to consolidate the different payment accounts they may have with one or more banks in one (mobile) apps. These were before PSDII not specifically regulated.
 
10
See recital 95 PSDII.
 
11
Art. 4 (30) PSDII. See also the definition of ‘authentication’ in PSDII: ‘authentication’ means a procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the user’s personalized security credentials;’ (Art. 4(29) PSDII).
 
12
The possibility to use biometric data is more prominent in the Regulatory Technical Standards (see below).
 
13
Recital 94 PSDII. About the need to respect data protection, see also e.g. Recital 89 and Recital 93 PSDII. See also below.
 
14
European Banking Authority, Final Report. Draft Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of Directive 2015/2366 (PSD2), EBA/RTS/2017/02, 23. 2. 2017, 153 p., available at https://​www.​eba.​europa.​eu/​documents/​10180/​1761863/​Final+draft+RTS+​on+SCA+and+CSC+u​nder+PSD2+%20​%28EBA-RTS-2017-02%29.​pdf (‘EBA, Final Report 2017’).
 
15
EU Commission, Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication, C(2017)7782final, OJ L 69, 13. 3. 2018, 23–43, available at (‘Delegated Regulation RTS’).
 
16
Delegated Regulation RTS, Recital 6.
 
17
EBA, Final Report 2017, p. 61.
 
18
About FAR and other technical aspects of biometric systems, see E. Kindt, Privacy and Data Protection Issues of Biometric Applications. A Comparative Legal Analysis, Dordrecht, Springer, 2013, 19–63 (“Kindt, Biometric Applications 2013”).
 
19
EBA, Final Report 2017, p. 61.
 
20
It was suggested that this could be done by reference to the National Institute of Standards and Technology (NIST) draft focused on measuring Strength of Function for Authenticators – Biometrics (SOFA-B). See NIST, Strength of Function for Authenticators – Biometrics (SOFA-B): Discussion Draft Open For Comments, available at https://​pages.​nist.​gov/​SOFA/​.
 
21
Some respondents were also inviting to distinguishing between behavioural data in general and behavioural biometrics (such as typing recognition), arguing that the latter can very well be used.  EBA, Final Report 2017, p. 61.
 
22
Ibid. p. 63.
 
23
Art. 72.1 PSDII. See further also Art. 72.2 PSDII.
 
24
The original text only required ‘a sufficiently low likelihood of an unauthorized party being authenticated as the payer’. EBA, Final Report 2017, p. 61.
 
25
Biometric data, already embedded in the EU ePassports of citizens who travel, will become increasingly object of desire and theft by those wanting to obtain identity documents or to engage in secure transactions but being deprived or already suspected.
 
26
Delegated Regulation RTS, Recital 6.
 
27
These examples were removed from the initial text of the draft articles of the Delegated Regulation RTS and mentioned in the Recitals.
 
28
See below with regard to existing standard ISO/IEC 30107-1 and other parts adopted in 2016.
 
29
This is also referred to sometimes as biometric information protection. See also ISO standard ISO/IEC 24745:2011 on biometric information protection.
 
30
About template protection, see e.g. Kindt, Biometric Applications 2013, pp. 855–859.
 
31
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4. 05. 2016, pp. 1–88, available at http://​eur-lex.​europa.​eu/​legal-content/​EN/​TXT/​PDF/​?​uri=​OJ:​L:​2016:​119:​FULL&​from=​NL (‘Regulation (EU) 2016/679’ or ‘GDPR’).
 
32
Note that the GDPR also contains a new regime and a new definition (see Article 4 (14) GDPR) of biometric data. See also E. Kindt, ’Having Yes, Using No? About the new legal regime for biometric data’, in Computer Law and Security Report, 523–538, 2018, available at  http://​authors.​elsevier.​com/​sd/​article/​%20​S026736491730366​7.
 
33
Recital 94 PSDII. See also recital 14 Delegated Regulation RTS.
 
34
Recital 46 PSDII.
 
35
See Art. 6.1(b) GDPR.
 
36
See also Art. 66.3 (f) and (g) PSDII stating that payment initiation services ‘shall not request from the payment service user any data other than those necessary to provide the payment initiation service’ and ‘not use, access or store any data for purposes other than for the provision of the payment initiation service as explicitly requested by the payer’.
 
37
See also Article 29 Working Party, Guidelines on Consent under Regulation 2016/679 (WP259rev0.1) July, 2018.
 
38
See Art. 23 GDPR. The GDPR has a wide (material and territorial) scope, as detailed in the arts. 2–3 GDPR. It hence also applies as a general legislation for data processing activities to the payment services sector.
 
39
Control by authorities is likely to be more strict for such processing as compared to processing with relatively ‘low risk’.
 
40
See also the Article 29 Data Protection Working Party, Statement on the role of a risk-based approach in data protection legal frameworks, WP218, 30. 5. 2014, 4 p. available at http://​ec.​europa.​eu/​justice/​data-protection/​article-29/​documentation/​opinion-recommendation/​files/​2014/​wp218_​en.​pdf. This document contains more clarifications on the not to be misunderstood risk-based approach.
 
41
Some data protection authorities have mentioned the risk of identity theft and misuse of biometric data before. The Belgian Privacy commission, for example, mentioned the increased risk of identity theft in case biometrics are more commonly used as an authentication tool. CBPL, Opinion N17/2008 biometric data, 45–51. See also other studies, e.g. Teletrust, White Paper zum Datenschutz, 2008, 18–19. For an overview of the many risks, see Kindt, Biometric Applications 2013, 275–395.
 
42
Art. 5.2 GDPR and art. 24.1 GDPR. The general principle is repeated in Article 24 as a specific obligation.
 
43
Art. 24.1 GDPR. This is further reflected in several more specific obligations, stressing the burden of proof on the controllers and to keep records and evidence that they adhered to their obligations (for example, that an (explicit) consent was obtained). It is also reflected in the new obligation for controllers to make an impact assessment for processing operations ‘if likely to result in high risks’.
 
44
Art. 35.1 GDPR.
 
45
See Article 29 Data Protection Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, adopted on 4. 4. 2017 and last revised and adopted on 4. 10. 2017, WP 248rev.01, 21 p. (‘WP 29 Guidelines on DPIA (WP248rev.01)’). The Article 29 Working Party will as of May 2018 be reformed in the European Data Protection Board (‘EDPB’). Some national DPAs, such as in the United Kingdom and in France, have also provided more information and guidance on a DPIA in general, and in some case also specific for biometric data. See, e.g. France, CNIL, Déliberation n\(^\text {o}\) 2016-187 of 30 June 2016 relating to the ‘unique authorization’ for access control to places, devices and computer applications in the workplace based on templates stored in a database (AU-053), 15 p., available at https://​www.​cnil.​fr/​sites/​default/​files/​atoms/​files/​au-053.​pdf , and Grille D’Analyse, 11 p., available at https://​www.​cnil.​fr/​fr/​%20​biometrie-un-nouveau-cadre-pour-le-controle-dacces-biometrique-sur-les-lieux-de-travail.
 
46
This interpretation is in our view also suggested in the fore-mentioned Guidelines on DPIA. See WP 29 Guidelines on DPIA (WP248rev.01), pp. 9–10. The example where a DPIA is required is given therein: ‘8. Innovative use or applying technological or organizational solutions, like combining the use of fingerprint and face recognition for improved physical access control, etc.’ (p. 9).
 
47
This is the second (explicit) scenario requiring a DPIA which expressly refers to the processing (a) on a large scale (b) of special categories of data of Article 9(1) or of Article 10. See Art. 35.3(b) GDPR.
 
48
Art. 35.7 GDPR and recitals 84 and 90 GDPR. For addressing various risks, see also, e.g. Kindt, E., ‘Best Practices for privacy and data protection for the processing of biometric data’ in P. Campisi (ed.), Security and Privacy in Biometrics, 2013, Springer, pp. 339–367. For more guidelines on how to conduct such DPIA, see WP 29 Guidelines on DPIA (WP248rev.01).
 
49
See Recital 91 GDPR.
 
50
See ISO/IEC 29134, Information technology—Security techniques —Privacy impact assessment—Guidelines, International Organization for Standardization (ISO).
 
51
These views could be sought through a variety of means. See WP 29 Guidelines on DPIA (WP248rev.01), p. 13.
 
52
Recital 84 GDPR. See Art. 36 GDPR.
 
53
WP 29 Guidelines on DPIA (WP248rev.01), p. 18.
 
54
See also EDPS, Opinion 1. 02. 2011 on a research project funded by the European Union under the 7th Framework Programme (FP 7) for Research and Technology Development (Turbine: TrUsted Revocable Biometric IdeNtitiEs), p. 3, available at http://​www.​edps.​europa.​eu/​EDPSWEB/​%20​webdav/​site/​mySite/​shared/​Documents/​Consultation/​Opinions/​%20​2011/​11-02-01_​FP7_​EN.​pdf; Kindt, Biometric Applications 2013, pp. 792–805. Recital 6 TRS (see above) may even require such protection.
 
55
Art. 32.1(a) and (d) GDPR.
 
56
See e.g. P. Counter, ‘Unisys Says Biometrics Will Go Mainstream in 2018’ in MobileIDWorld, 22. 1. 2018, available at https://​mobileidworld.​com/​unisys-says-biometrics-mainstream-2018-901224/​.
 
57
Art. 98.2 PSDII.
 
58
See Art. 98.5 PSDII which requires the EBA to review and update the RTS on a regular basis.
 
59
Art. 70 PSDII.
 
60
See also the general comments in the Opinion 4/2007 of the Article 29 Working Party on pseudonymous and anonymous data, which are also relevant for the processing of biometric data.
 
61
See also Kindt, Biometric Applications 2013, 792–806.
 
62
Art. 73 PSDII.
 
63
This has been reduced as compared to Directive 2007/64/EC.
 
64
Art. 74.2 PSDII.
 
65
Art. 83.4 GDPR.
 
66
Arts. 83.5–83.6 GDPR.
 
67
See art. 83 GDPR and also Rec. 150. Supervisory authorities must assess all the facts of the case in a manner that is consistent and objectively justified. About how such sanctions shall be applied, see also Article 29 Data Protection Working Party, Guidelines on the application and setting of administrative fines for the purposes of the Regulation 2016/679, WP253, 3. 10. 2017, 17 p.
 
68
See art. 82 GDPR.
 
69
Art. 82.3 GDPR.
 
Metadaten
Titel
A Legal Perspective on the Relevance of Biometric Presentation Attack Detection (PAD) for Payment Services Under PSDII and the GDPR
verfasst von
Els J. Kindt
Copyright-Jahr
2019
Buch
Handbook of Biometric Anti-Spoofing

Print ISBN: 978-3-319-92626-1

Electronic ISBN: 978-3-319-92627-8

Copyright-Jahr: 2019

DOI
https://doi.org/10.1007/978-3-319-92627-8_21

Neuer Inhalt

    Bildnachweise