EBA’s guidelines on the security of internet payments

Written on 4 Feb 2015

The European Banking Authority (“EBA”) published its final guidelines on 19 December 2014, setting the minimum requirements that payment service providers (“PSPs”) in the EU will be expected to implement by 1 August 2015 in relation to the security of internet payments.

The guidelines are based on recommendations published by the European Central Bank for internet payment security which were developed by the European Forum on the Security of Retail Payments (“SecuRe Pay”)  see further below. The EBA agreed to convert the recommendations into guidelines in order to create a solid legal basis for the security of internet payments across all the European Member States, until the revised Payment Services Directive (“PSD2”) is implemented. The EBA published a consultation on the draft guidelines in October 2014. Many stakeholders, including the UK Payments Council, responded with a request that the EBA delay the introduction of the guidelines until PSD2 is transposed in order to avoid the extra cost to payment service providers involved in making changes to their processes before August 2015 and then again when PSD2 is implemented. 

Timing of the guidelines 

The EBA decided that delaying until 2017 or 2018 was not a plausible option given the high and rising levels of fraud on internet payments. Accordingly, the EBA has decided to follow a “two-step approach“: the guidelines will be implemented as consulted on by 1 August 2015, with the potentially more stringent requirements under PSD2 being implemented later. 

This approach was favoured in the responses to the EBA’s consultation over the alternative proposal for a “one-step approach“, which would have involved the EBA implementing a single set of guidelines in August 2015 which would attempt to predict the requirements under the final text of PSD2.

Status of the guidelines 

The guidelines are not legally binding but the EBA states that regulators and financial institutions should make every effort to comply with them, and that national regulators should incorporate the guidelines into their supervisory practices. The UK’s FCA is currently considering the guidelines’ impact on it as a competent authority, on the PSPs it regulates and on the market ahead of the implementation of PSD2: it had been advocating delaying implementation until PSD2’s implementation, but essentially the message is that PSPs must put these guidelines into effect by August 2015. 

The guidelines’ requirements 

The guidelines do not extend to the mobile payments sphere, apart from where mobile payments are made via web browsers on mobile devices. The requirements apply to online retailers as well as payment service providers offering online payments. 

The guidelines set minimum expectations for the security arrangements that PSPs should have in place for internet payments. The new requirements stipulate, amongst other things, that PSPs must:

  • have procedures in place for effective risk assessment, incident reporting and traceability of all transactions;
  • deploy various levels of security, including strong customer authentication before payments are initiated;
  • monitor, handle and report any security incidents they experience; and
  • provide their customers with assistance and guidance on the secure use of internet payment services, including initiating customer awareness programmes. 

Other SecuRe Pay recommendations 

In its role as a common platform for both the European Banking Authority (“EBA”) and the European System of Central Banks (“ESCB”), SecuRe Pay has published two other sets of recommendations:

  • Mobile payments: in late 2013, it consulted on draft recommendations for the security of mobile payments, but it has not issued any final recommendations following this consultation.
  • In May 2014, SecuRe Pay published its final recommendations for the security of payment account access services following public consultation, however, unlike its recommendations for the security of internet payments, these have not been adopted by the EBA or any of the other relevant competent authorities, so they remain without any legal standing.
    As PSD2 develops and the EBA begins its work on the various technical guidelines and standards the PSD2 allocates to it, we fully expect the EBA to consult with SecuRe Pay and for it to take forward its work in these areas.

View source