New ECB guidelines on security standards for internet payments
7 March 2013
On 31 January 2013,The European Central Bank (ECB) presented final 'Recommendations for the security of internet payments'. The European Forum on the Security of Retail Payments (SecuRe Pay), a voluntary co-operative initiative between relevant authorities from the European Economic Area (EEA), who issued their recommendations on the security of electronic retail payment services and instruments.
Payment service providers (PSPs) offering internet payments services (such as executing card payments or credit transfers over the internet, registering card payment data for use in e-wallets, electronic direct debit mandates and transferring e-money between electronic accounts) are affected, as are governance authorities (GA) of payment schemes (the bodies accountable for the overall functioning of the schemes promoting payment instruments). Online retailers will also be affected, as PSPs will have to obtain contractual assurances from e-merchants that their systems meet stringent security requirements prescribed in the recommendations. E-merchants are also encouraged to follow the ECB's best practice guidance, although this will not be mandatory(i).
The recommendations are the outcome of a public consultation, and were developed by the European Forum on the Security of Retail Payments, a voluntary co-operative initiative whose members include a number of central banks of EU Member States as well as regulators. The recommendations are based on four core principles:
1. PSPs and governance authorities (GAs) should regularly assess the risks associated with providing internet payment services to keep up to date with evolving security threats.
2. Initiation of internet payments and access to sensitive payment data (data which could be used to carry out fraud) should be protected by strong customer authentication.
3. PSPs should implement effective authorisation processes and monitor transactions to spot abnormal payment patterns.
4. PSPs and GAs should engage in customer awareness and education programmes on security issues.
Timescale for implementation
The ECB recommendations are a step-up in the regulation of internet payments and will apply in addition to the Payment Card Industry's Data Security Standards (PCI DSS). The existing PCI DSSs have been adopted by large organisations such as MasterCard and in 2011 the UK's Information Commissioner emphasised that failure to comply with these standards puts companies at risk of being fined for breaking data protection laws. In addition, on 1 February 2013 the PCI Security Standards Council issued guidelines for e-commerce security to help e-commerce companies understand and meet the security requirements of the Council.
PSPs and retailers will need to start preparing their systems to meet the 1 February 2015 implementation deadline. This only gives organisations two years in which to ensure compliance.
Furthermore, the ECB's Governing Council announced that it will launch a public consultation on draft recommendations for payment account access services. All interested parties are invited to comment on the draft 'Recommendations for payment account access services' by 12 April 2013.
For more information please contact Dr. Nathalie Moreno, Partner