Title: TECHNICAL AND ORGANISATIONAL COUNTERMEASURES

Various technical and organisational safeguards have been spearheaded by financial institutions and online merchants. As such they mainly intend to secure the payment procedure.  

Apart from the large-scale implementation of SSL protocols and in order to reduce the circulation of the numbers during a transaction and fight against the fraudulent obtaining of credit card numbers, several mechanisms targeted at the total or partial suppression of credit card numbers for the payment procedure have been put in place. 

- The virtual dynamic card: the e-credit card [e-carte bleue]. This service allows the consumer to create in real time a new credit card number for each transaction. This number remains valid for a certain time and is deactivated once it has been used. It thus prevents the reuse of the credit card number and double invoicing. In 2006, this mechanism was used in 2,5 million transactions with 130,000 new card holders, for a total of half a million users. The use of this system requires the user to first register with his bank (on-line or via a paper-based form). The bank then provides the user with an identifier of 8 characters and sends him a password by mail. The use of the tool also requires the download of specific software to be installed on the user’s computer.

- The system Sympass: Sympass is a company created in 2001 which has developed a tool relying on the principle of double keyboards: the computer’s and the telephone’s. When buying online, the user gives the 8 first digits of his credit card and a phone number. He then immediately receives a phone call of an automated voice service asking him to key the last 8 numbers of the credit card. Sympass counted 170,000 users in 2005.  

- Payment by card without any indication of the number: the ID Tronic solution. In this system it is not necessary to provide the credit card number when conducting a transaction. When registering, the user provides his payment data to the bank which provides him with a password. When making the payment, the user provides his password or email address and receives a text message with a second password to authenticate the user.  

- Use of a visual cryptogram to fight against the fraudulent obtaining of credit card numbers in off-line payments. It permits the cyber-merchant to check that the holder is physically in possession of the credit card. The conservation of the cryptogram is formally forbidden for security (and privacy) reasons.

- 3D secure system: In order to fight new fraud such as phishing, a reinforcement of security of online payments is proposed through the 3D secure solution. This system integrates an additional step in the payment procedure. When the card number is sent by the merchant to the bank for authorisation, this entity will request the cardholder to authenticate to the system before sending such authorisation to the merchant. The merchant will thus not be held liable in case of identity fraud due to the additional check made by the bank during the payment. However, full implementation of the system faces strong opposition from both merchants and banks on the basis of economical and technical reasons.

- Finally, micro-payments instruments such as dialers, SMS premium, and the use of electronic wallet have been proposed to consumers for payments of less than 15 euros (threshold under which there is no legal obligation for the merchant to issue an invoice to the consumer). These payments instruments have the advantages of being quick, friendly, and cheap and of relatively preserving the anonymity of the buyer.

Credit reporting

Credit reporting in France is centralised by the French National Bank, a body which manages credit information on individuals provided by financial institutions. Several databases are maintained by this body. The Fichier national des Incidents de remboursement de ces crédits aux particuliers (FICP) includes information on significant overdue payments related to individual credits (personal loans, authorised uncovered balances, leasing, and installment buying). Measures taken in case of too high debts are also included. The body records only the name, place and date of birth, the name of the body which requested the record and its origin and the date of deletion presumed.

Storage periods vary according to the procedure which has led to the record. As a general rule, the information is stored for a maximum of 5 years but it will be stored for 8 years in case of personal recovery procedure and for 10 years in case of recovery plan or if the over-indebtedness Commission formulated some recommendations in that sense. If the payment is made before the end of these periods, the records are deleted. 

Other databases are managed by the French National Bank, on the basis of the information provided by financial institutions, relative to check bans when a bad check has been issued (Fichier central des chèques), to credit cards abuse or to irregular checks, stop payments relative to checks orders due to loss or theft, or closed accounts.

Furthermore, the private sector has created black-lists of individuals with overdue payments. This practice is however strictly regulated by the Data Protection Act and the CNIL. According to the principle of proportionality, the CNIL has put limits on the basis of the principle of “sectorisation”. This principle implies that the generation of and access to databases which contain information on debts and non-payments of a certain category of persons, e.g., tenants, should be limited to the mere sector activity and its professionals. It considers that widespread access given to non-payment information to controllers outside that specific sector would be a disproportionate intrusion in the private lives of individuals because of the risk of function creep. According to the CNIL, the fact that a phone bill has not been paid should not prevent anyone from receiving the opportunity to rent living quarters.  

In that sense, in the renting sector, the CNIL considered that providing real estate owners who were not strictly real estate professionals with information about unpaid rents was not in conformity with the obligation of security and the principle of proportionality. This doctrine has been confirmed by the State Council in a judgment of 28 July 2004.

Public awareness campaigns

Several public awareness campaigns have been launched on the basis of private initiatives. As online consultation of bank accounts and conducting online transactions have become the second activity of French Internet users, French banks have undertaken initiatives to raise awareness of the risks involved in online banking to Internet users. The Federation of French Banks, FBF [Fédération Bancaire Française], helped to sponsor a campaign to help teach people how to use the Internet safely. As part of this, almost three million brochures, comics and books were distributed in branch offices (of banks) and on bank websites. Advice was included on how to detect and avoid phishing, and on the importance of anti-virus software on computers. Banks also sent letters to their customers and posted alert messages online warning of potential dangers. The FBF regularly update their practical guide to secure online banking.. In addition, e-commerce actors have offered specific tool bars to enable users to identify secure websites.

The Forum of Rights on Internet also published several on-line guides and fact sheets for Internet users in order to provide them with useful tools for preventing abuses or defending themselves against such abuses. Worth mentioning, for instance, is the guide on on-line shopping published on 17 November 2005 and updated regularly since, which furthermore includes advice against phishing. This guide includes advice for every step of the purchase, from the selection of the online merchant to the payment process and the exiting recourses in case of problems. A specific part is dedicated to C2C websites. The 2008 edition furthermore includes advice on online video games and travel online booking.