The European Banking Authority‘s (EBA) first tranche of “Security of Internet Payment Guidelines” became effective from 1 August 2015. Following the EBA’s consultation published in October 2014, the EBA decided that due to the continually high levels of fraud related to payments made over the Internet, that it would not wait to implement all of its security guidelines until the PSD2 was transposed. (For further details on the key security proposals under PSD2 – click here).
What is the status of the EBA Internet Payment Security Guidelines?
The EBA Internet Payment Security Guidelines are now effective and are issued pursuant to Article 16 of the EBA Regulation. This basically means that while the guidelines themselves do not have the force of law, competent authorities and financial institutions of the 28 Member States must make every effort to comply with the guidelines.
The implementation details across the EU can be accessed here. Of particular interest is the U.K.’s FCA notification that it will not comply. This is on the basis that it:
does not have the power without legislative change to make binding rules requiring all payment service providers (credit institutions, payment institutions and e-money institutions) to comply with the EBA Guidelines.
Certain other jurisdictions will also not comply (or only partially comply) leaving yet again a less than harmonious set of EU wide payment rules.
Which Payment Service Providers are targeted?
It’s a wide net and its not just regulated PSPs that will be impacted. As stated in the guidelines, The EBA Internet Payment Security Guidelines “apply to the provision of payment services offered through the internet by PSPs as defined in Article 1 of the PSD”. This includes banks, e-money institutions as well as payment institutions that offer internet payment services.
However, even non regulated entities may still need to be required to comply with certain parts of the new rules by way of contractual obligation. The guidelines set out requirements on PSPs to include provisions relating to the new rules in their applicable outsourcing agreements. Additionally, there are specific rules aimed at acquirers to require their e-merchants to implement some of the security measures.
Are all internet payments within scope?
No. The EBA Payment Security Guidelines focus on the following internet payment services –
- Cards: the execution of card payments on the internet, including virtual card payments, as well as the registration of card payment data for use in ’wallet solutions’,
- Credit Transfers: the execution of credit transfers (CTs) on the internet,
- E-mandates: the issuance and amendment of direct debit electronic mandates, and
- E-money: transfers of electronic money between two e-money accounts via the internet.
There are certain express exclusions set out in the guidelines and these include (among others): certain e-brokerage services, payments where instructions are given by SMS, non browser based mobile payments and a limited category of anonymous and non-rechargeable pre-paid cards.
The EBA Internet Payment Security Guidelines are categorised under 3 main themes: “General Control and Security Environment“; “Specific Control and Security Measures for Internet Payments” and “Customer Awareness, Education and Communication“. A high level and non-exhaustive summary of the components of these topics is set out below.
Many of the requirements under the guidelines will be familiar as already been implemented by existing PSPs. The guidelines also in certain respects repeat many of the existing compliance obligations of PSPs which are found under AML laws and the PSD. There are also some best practice guidelines provided by the guidelines.
However, one of the key areas of compliance for some PSPs will be the introduction and use of “strong customer authentication’ (or as it is more generally known as “2 Factor Authentication” or “2FA“). The guidelines define this concept (with my minor modifications for clarity):
Strong customer authentication is, for the purpose of these guidelines, a procedure based on the use of two or more of the following elements – categorised as:
Knowledge – something only the user knows, e.g. static password, code, personal identification number;
Ownership – something only the user possesses, e.g. token, smart card, mobile phone;
Inherence – something the user is, e.g. biometric characteristic, such as a fingerprint.
In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s).
At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet.
The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.
General Control and Security Environment
PSPs should implement a formal documented security policy containing clear lines of responsibility and reporting.
PSPs should also carry out documented risk assessments with regard to the security of internet payments and their related services before the service is launched and thereafter. Any assessment of risks should address the need to protect and secure sensitive payment data. PSPs should also conduct a review of risk scenarios.
Incident monitoring and reporting
Procedures are to be implemented for reporting security incidents to management, regulators and law enforcement authorities.
Risk control and mitigation
PSPs should implement “Defence in Depth” layers of security defences so that if one layer of security does not work, the threat should be caught by another. Other risk control and mitigation measures include: the implementation of security solutions, access restrictions, data minimisation, effective change management processes and audit procedures.
Processes are required to be put in place to ensure that all transactions and e-mandates are properly traced.
Specific Control and Security Measures for Internet Payments
Initial customer identification, information
Customer KYC should be carried out and customers should confirm their willingness to make internet payments before being granted access. There are also other customer information requirements which mirror many of those already required by the PSD.
Strong customer authentication
As a general rule, initiation of internet payments, as well as access to sensitive payment data should be protected by strong customer authentication. There are some carve outs for specific use cases – such as for wallet solutions that may employ alternative authentication measures for pre-identified low value payments.
Enrolment for, and provision of, authentication tools and/or software delivered to the customer
When a customer on-boards and is provided with their authentication credentials, this should be done in a secure environment.
Log in attempts, session time out, validity of authentication
As stated in Guideline 9:
PSPs should limit the number of log-in or authentication attempts, define rules for internet payment services session ‘time out’ and set limits for the validity of authentication.
Transaction monitoring solutions are required to be implemented to prevent, detect and block fraudulent payment transactions.
Protection of sensitive data
Such data should be protected when stored, processed or transmitted.
Customer Awareness, Education and Communication
Customer education and communication
Among many other requirements, PSPs are required to provide at least one secure channel for ongoing communication with customers regarding the correct and secure use of the internet payment service.
Notification, setting of limits
PSPs should put in place limits such as a limit of the amount of an individual payment or an aggregate amount over a certain timeframe.
Customer access to information on the status of payment initiation and execution
Similar to the requirements which presently exist under the PSD, PSPs should confirm with their customers when a payment has been initiated and also provide them with the means to confirm that a payment has been properly executed.
Note: the above is a high level summary and review of certain potential issues and features of the guidelines and is not to be relied upon in any definitive manner nor as legal and/or regulatory advice.