PSD2 – Security Obligations

PSD2 Security Obligations

(Note: the below is a high level review of certain potential issues and is not to be relied upon in any definitive manner nor as legal and/or regulatory advice).

PSD2 Security
PSD2 Security

PSD2 has added many additional compliance obligations on the firms that fall within its scope – perhaps the most controversial are those set out in Chapter 5 of the Directive  under the heading: “Operational and security risks and authentication”.

The security obligations are new and not reflected in PSD1. The background to their inclusion is indicated by Article 91 of the Directive, namely:

Payment service providers are responsible for security measures. Those measures need to be proportionate to the security risks concerned. Payment service providers should establish a framework to mitigate risks and maintain effective incident management procedures. A regular reporting mechanism should be established, to ensure that payment service providers provide the competent authorities, on a regular basis, with an updated assessment of their security risks and the measures that they have taken in response to those risks. Furthermore, in order to ensure that damage to users, other payment service providers or payment systems, such as a substantial disruption of a payment system, is kept to a minimum, it is essential that payment service providers be required to report major security incidents without undue delay to the competent authorities. A coordination role by EBA should be established.

These new PSD2 security obligations can be parsed into 3 main topics, namely:

  • Management of operational and security risks
  • Authentication, and
  • Incident reporting

EmoneyAdvice.com looks at each requirement in the following with key excerpts of the legislative text is set out at the end of this post.

PSD2 – Management of Operational and Security Risks (EBA Guidance Applies)

While many regulated payment service providers will have policies, systems and controls to manage their operational and security risks, PSD2 solidifies the requirements backed with guidance from the EBA.

The key requirement of these provisions is the establishment and maintenance of a Risk Management Framework document. An updated version of the framework document will be required to be submitted to the PSPs competent authority at least on an annual basis. In doing so, the PSP must also comment on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks. This will involve a form of auditing function.

In complying with these requirements, the EBA will issue guidelines, subject to the principle of “proportionality”. This means that all PSPs will be required to be compliant with each guideline:

            “but the precise steps that they are required to take to be compliant may differ between PSPs, depending on their size, business model and complexity of their activities”.

What are the EBA Guidelines on Security Measures for Operational and Security Risks under PSD2?

Guideline 1: Governance

  • Operational and security risk management framework
  • Risk management and control models
  • Outsourcing

Guideline 2: Risk Assessment

  • Identification of functions, processes and assets
  • Classification of functions, processes and assets
  • Risk assessments of functions, processes and assets

Guideline 3: Protection

  • Data and Systems Integrity and Confidentiality
  • Physical Security
  • Access Control

Guideline 4: Detection

  • Continuous monitoring and detection

Guideline 5: Business Continuity

  • Business continuity management
  • Scenario based business continuity planning
  • Testing of Business Continuity Plans
  • Incident Management and Crisis Communication

Guideline 6: Testing of Security Measures

Guideline 7: Situational awareness and continuous learning

  • Threat landscape and situational awareness
  • Training and security awareness programs

Guideline 8: PSU Relationship Management

  • Payment service user awareness on security risks
  • PSU secure communication and reporting procedures

PSD2 – Strong Customer Authentication (EBA Regulatory Technical Standards Apply).

Perhaps one of the hottest topics related to the new security obligations under PSD2 relates to the use of “Strong Customer Authentication” (referred to hereafter as “SCA”) or as it is sometimes referred to as: “2 Factor Authentication”.

What is SCA?

Under the Directive definition, SCA means: an authentication based on the use of two or more elements categorised as:

  • knowledge (something only the user knows) – eg passwords
  • possession (something only the user possesses) – eg mobile device, and
  • inherence (something the user is) – eg biometrics,

that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.

The above are referred to as the SCA Elements.

Requirements under the EBA Regulatory Technical Standards

 One Time Authentication Code / OTP: Authentication based on the SCA Elements shall generate an authentication code – which can only be accepted once.

  • Rules on the authentication code:
    • The auth code can’t be derived from any of the above SCA Elements
    • A new auth code can’t be generated based on the knowledge of a previous auth code
    • The auth code can’t be forged
  • When a customer fails to correctly generate an auth code:
    • None of the SCA elements can be identified as incorrect
    • Only 5 attempts allowed before a temporary or permanent block
  • Reauth required when inactivity occurs for up to 5 minutes.

Electronic remote payment transactions either made directly (or via a payment initiation service provider) must apply SCA that includes elements that dynamically link the transaction to a specific:

  • amount; and
  • payee

The payer is also to be made aware of the amount of the payment transaction and of the payee – any change to these factors must result in a new authentication code being generated.

When is it required?

While there are some exemptions available, SCA is required to be applied in a general sense when a payment service user either directly (or indirectly via an account information service provider):

  • accesses its payment account online
  • initiates an electronic payment transaction, or
  • carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

Rights of TPPs

Account servicing payment service providers must allow TPPs (ie payment initiation service providers and account information service providers) the ability to rely on the authentication procedures provided by account servicing payment service providers.

Exemptions

SCA will not be required, under certain strict conditions related to the following scenarios:

  1. Only accessing payment account information
  2. Contactless payments at point of sale for low value amounts (eg €150)
  3. Unattended payment terminals for the purpose of paying a transport or parking fare
  4. Trusted beneficiaries and recurring transactions
  5. Payments to self
  6. Low value transactions (eg €30)
  7. Transaction Risk Analysis – monitoring required and only available for capped amounts.
  8. Secure corporate payments

PSD2 – Major Incident Reporting  (EBA Guidelines Apply).

PSD2 implements 2 key security incident reporting requirements, namely for the PSP to inform:

  • Its Supervising Authority: on becoming aware of a major operational or security incident; and
  • Its Customers if the event impacts their financial interests – this notice must be issued “without undue delay” and inform the customer of the incident and of all measures that they can take to mitigate the adverse effects of the incident.

EBA Guidelines Apply

Guidance for the PSP is provided to cover the following areas:

  • Incident classification
  • Notification Process
  • Delegated and consolidated reporting
  • Operational and Security Policy
  • Supervisory Authority Reporting Template

Legislative Text:

Management of Operational and Security Risks

 

PSD2 Directive PSRs 2017 (2 February draft)
Article 95 Regulation 98
(1) Member States shall ensure that payment service providers establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services they provide. As part of that framework, payment service providers shall establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.

 

 (1) Each payment service provider must establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services it provides. As part of that framework, the payment service provider must establish and maintain effective incident management procedures, including for the detection and classification of major operational and security incidents.

 
(2) Member States shall ensure that payment service providers provide to the competent authority on an annual basis, or at shorter intervals as determined by the competent authority, an updated and comprehensive assessment of the operational and security risks relating to the payment services they provide and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.

 

 (2) Each payment service provider must provide to the Authority an updated and comprehensive assessment of the operational and security risks relating to the payment services it provides and on the adequacy of the mitigation measures and control mechanisms implemented in response to those risks.

 
(3) By 13 July 2017, EBA shall, in close cooperation with the ECB and after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 with regard to the establishment, implementation and monitoring of the security measures, including certification processes where relevant.

 

EBA shall, in close cooperation with the ECB, review the guidelines referred to in the first subparagraph on a regular basis and in any event at least every 2 years.

 

 (3) Such assessment must—

 

(a) be provided on an annual basis, or at such shorter intervals as the Authority may direct; and

 

(b) be provided in such form and manner, and contain such information, as the Authority may direct.

 
(4) Taking into account experience acquired in the application of the guidelines referred to in paragraph 3, EBA shall, where requested to do so by the Commission as appropriate, develop draft regulatory technical standards on the criteria and on the conditions for establishment, and monitoring, of security measures.

 

Power is delegated to the Commission to adopt the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.

 
(5) EBA shall promote cooperation, including the sharing of information, in the area of operational and security risks associated with payment services among the competent authorities, and between the competent authorities and the ECB and, where relevant, the European Union Agency for Network and Information Security.

 

 

 

Authentication – EBA Regulatory Technical Standards Apply

https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-standards-on-strong-customer-authentication-and-secure-communication-under-psd2

 

PSD2 Directive PSRs 2017 (2 February draft)
Article 4(30) ‘strong customer authentication’

means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data;

 

 Regulation 2 “Strong customer authentication”

means authentication based on the use of two or more independent elements, the reliability of each element not being compromised by the breach of any other element, and designed in such a way as to protect the confidentiality of the authentication data, with such elements falling into two or more of the following categories—

(a) something known only by the payment service user (“knowledge”);

(b) something held only by the payment service user (“possession”);

(c) something inherent to the payment service user (“inherence”);

 
Article 97 Regulation 100
(1) Member States shall ensure that a payment service provider applies strong customer authentication where the payer:

 

 (1) A payment service provider must apply strong customer authentication where a payment service user directly or through an account information service provider—

 
(a) accesses its payment account online;

 

 (a) accesses its payment account online;

 
(b) initiates an electronic payment transaction;

 

 (b) initiates an electronic payment transaction; or

 
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

 

 (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.

 
(2) With regard to the initiation of electronic payment transactions as referred to in point (b) of paragraph 1, Member States shall ensure that, for electronic remote payment transactions, payment service providers apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee.

 

 (2) Where a payer initiates an electronic remote payment transaction directly or through a payment initiation service provider, the payment service provider must apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee.

 
(3) With regard to paragraph 1, Member States shall ensure that payment service providers have in place adequate security measures to protect the confidentiality and integrity of payment service users’ personalised security credentials.

 

 (3) A payment service provider must maintain adequate security measures to protect the confidentiality and integrity of payment service users’ personalised security credentials.

 
(4) Paragraphs 2 and 3 shall also apply where payments are initiated through a payment initiation service provider. Paragraphs 1 and 3 shall also apply when the information is requested through an account information service provider.

 

 (4) An account servicing payment service provider must allow a payment initiation service provider or account information service provider to rely on the authentication procedures provided by the account servicing payment service provider to a payment service user in accordance with the preceding paragraphs of this regulation.

 
(5) Member States shall ensure that the account servicing payment service provider allows the payment initiation service provider and the account information service provider to rely on the authentication procedures provided by the account servicing payment service provider to the payment service user in accordance with paragraphs 1 and 3 and, where the payment initiation service provider is involved, in accordance with paragraphs 1, 2 and 3.

 

 

Incident Reporting – EBA Guidelines Apply

PSD2 Directive PSRs 2017 (2 February draft)
Article 96 Regulation 99
(1) In the case of a major operational or security incident, payment service providers shall, without undue delay, notify the competent authority in the home Member State of the payment service provider.

 

Where the incident has or may have an impact on the financial interests of its payment service users, the payment service provider shall, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.

 

 

 —(1) If a payment service provider becomes aware of a major operational or security incident, the payment service provider must, without undue delay, notify the Authority

 
(2) Upon receipt of the notification referred to in paragraph 1, the competent authority of the home Member State shall, without undue delay, provide the relevant details of the incident to EBA and to the ECB. That competent authority shall, after assessing the relevance of the incident to relevant authorities of that Member State, notify them accordingly.

 

EBA and the ECB shall, in cooperation with the competent authority of the home Member State, assess the relevance of the incident to other relevant Union and national authorities and shall notify them accordingly. The ECB shall notify the members of the European System of Central Banks on issues relevant to the payment system.

 

On the basis of that notification, the competent authorities shall, where appropriate, take all of the necessary measures to protect the immediate safety of the financial system.

 

 (2) A notification under paragraph (1) must be in such form and manner, and contain such information, as the Authority may direct.

 
(3) By 13 January 2018, EBA shall, in close cooperation with the ECB and after consulting all relevant stakeholders, including those in the payment services market, reflecting all interests involved, issue guidelines in accordance with Article 16 of Regulation (EU) No 1093/2010 addressed to each of the following:

 

 (3) If the incident has or may have an impact on the financial interests of its payment service users, the payment service provider must, without undue delay, inform its payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.

 
(a) payment service providers, on the classification of major incidents referred to in paragraph 1, and on the content, the format, including standard notification templates, and the procedures for notifying such incidents;

 

 (4) Upon receipt of the notification referred to in paragraph (1), the Authority must—

 

(a) without undue delay, provide the relevant details of the incident to European Banking Authority and to the European Central Bank;

 
(b) competent authorities, on the criteria on how to assess the relevance of the incident and the details of the incident reports to be shared with other domestic authorities.

 

 (b) notify any other relevant authorities in the United Kingdom; and

 

(c) co-operate with European Banking Authority and the European Central Bank in assessing the relevance of the incident to authorities outside of the United Kingdom.

 
(4) EBA shall, in close cooperation with the ECB, review the guidelines referred to in paragraph 3 on a regular basis and in any event at least every 2 years.

 

 (5) If the Authority receives notification of an incident from European Banking Authority or the European Central Bank it must take any appropriate measures to protect the immediate safety of the financial system.

 
(5) While issuing and reviewing the guidelines referred to in paragraph 3, EBA shall take into account standards and/or specifications developed and published by the European Union Agency for Network and Information Security for sectors pursuing activities other than payment service provision.

 

  
(6) Member States shall ensure that payment service providers provide, at least on an annual basis, statistical data on fraud relating to different means of payment to their competent authorities. Those competent authorities shall provide EBA and the ECB with such data in an aggregated form.