How are cashless transactions safe?

Office for Technology Assessment at the German Bundestag

Information on awarding expert opinions

Data protection and security of cashless payment methods

Appraisers wanted in the context of the TA project "World without cash - changes in classic banking and payment systems"

In Germany, too, the use of cash is tending to decrease, albeit continuously, and at the same time the share of debit and credit card payments in total transactions is increasing. Mobile payment (via smartphone, tablets or smartwatches) is still almost in its infancy in Germany, but this new payment method is already being used by 25 to 30% of German citizens.

The trend towards more intensive use of cashless means of payment makes answering the question of their security and the protection of data protection when using them more and more relevant. Against this background, an expert opinion should deal with the essential aspects to provide a technical foundation for the TA project.

Thematic background

Germany is often referred to as the »cash country«, and in 2018 the Internet portal Bloomberg even spoke of a continuing cash »obsession«. In 2017, 74% of transactions were still processed in cash. In fact, the Europe-wide comparison shows that the use of cash in Germany is still above average. The reason for this is that security and privacy are the dominant motives when choosing a means of payment in Germany. Compared to other means of payment (e.g. debit cards, credit cards and Internet payment methods), cash in particular is assigned the property of maintaining privacy. In addition to the debit card, which is rated even better in terms of the risk of financial loss, cash is a comparatively safe means of payment. Nevertheless, the use of cash tends to decrease slightly, but continuously, in Germany as well. Currently, the proportion of transactions in cash is decreasing by 1 to 2% annually for all age groups. Meanwhile, the share of debit and credit card payments in total transactions is increasing. In e-commerce, where cash only plays a negligible role anyway (cash on delivery), 58% of sales are already paid within the framework of internet payment methods. Although mobile payment (via smartphone, tablets or smartwatches) is still in its infancy in Germany, this new payment option is already being used by 25 to 30% of citizens. The trend towards more intensive use of cashless means of payment makes the question of their security and the protection of data protection when using them increasingly come to the fore.

Description of services for the report

An up-to-date, criteria-based and systematic analysis of the security and data protection aspects of cashless payment methods is to be developed. For this purpose, the relevant published literature - specialist journals, conference proceedings, gray literature - as well as other relevant sources such as general terms and conditions of payment initiation services must be evaluated. The findings of the literature analysis should, where appropriate, be updated, supplemented or validated, e.g. through expert interviews. Debit and credit cards, internet payment methods, applications for mobile payments and cryptocurrencies must be taken into account in the report. Since the level of data protection and security can differ depending on the provider of cashless payment methods, in addition to a general overview of all the categories mentioned above, an in-depth presentation of up to two examples from the categories of Internet payment methods, applications for mobile payment and crypto currencies should be developed, which in consultation with can be specified in the TAB. Justified suggestions for an in-depth elaboration on individual cashless payment methods in the aforementioned categories should already be presented in the offer.

With regard to data protection, the following questions in particular should be answered: Which data is recorded, stored and processed by whom in the context of the cashless payment transaction? Which data is shared with third parties and which legal framework conditions apply to this (for example, is the European General Data Protection Regulation always applicable?)? With regard to security, the main question is how high the probability of misuse of cashless payment methods actually is (in reality in contrast to laboratory conditions), which could be caused by fraudulent procedures such as theft of card data, skimming, phishing and data read-out. It is expected that when assessing the security level of cashless payment methods, technical (e.g. EMV chips for debit and credit cards) as well as regulatory standards and innovations will be taken into account (e.g. two-factor authentication of the new EU Payment Services Directive PSD2). Of particular interest is the areas in which there are still statutory loopholes in regulation that could prevent a high level of security and data protection from cashless payment methods. The questions listed above show the main focus of the report. Additions, adaptations or concretizations of the aspects of the investigation are possible and should, if necessary, be coordinated with the TAB when preparing the offer.

The reimbursable processing effort for the preparation of the report is estimated at around 3 to 4 person-months.

Events

  • The deadline for an offer is 30.03.2020.
  • The report is expected to be processed on 01.06.2020 start.
  • The report must be submitted by 30.09.2020 respectively.

Expert opinions are issued and prepared on the dates mentioned subject to the timely approval or approval of funds by the German Bundestag.

Notes on preparing and submitting offers

The »Notes for experts« must be observed when preparing the offers. In particular, the competence of the provider must be evident from the offers, and the intended procedure and the necessary processing effort must be made clear.

First send us an electronic version of your offer together with the form PDF [0.02 MB] (see also Notes for reviewers) to our email address [email protected] In our experience, the incoming offers usually have to be revised in terms of content, form and calculation. Should we shortlist your offer after we have checked it and propose it to the German Bundestag for award, we will ask you to modify it accordingly and then to send a signed offer to the TAB (Neue Schönhauser Straße 10, 10178 Berlin) .