EBA issues guidelines to strengthen requirements for the security of Internet payments across the EU

 Concerned about the increase in frauds related to Internet payments, the EBA decided that the implementation of a more secure framework for such payments across the EU was needed

Concerned about the increase in frauds related to Internet payments, the EBA decided that the implementation of a more secure framework for such payments across the EU was needed

The European Banking Authority (EBA) has issued its final guidelines on the security of Internet payments. These new guidelines set the minimum security requirements that Payment Service Providers (PSPs) in the EU will be expected to implement by 1 August 2015.

The EBA decided to issue these guidelines in response to the rising levels of fraud observed in Internet payments. Latest pan-EU figures show that fraud on card Internet payments alone resulted in €794 million of losses in 2012 (up by 21.2% from the previous year).

A timely and consistent regulatory response was needed while waiting for the revision of the Payment Services Directive which aims to create more secure, competitive and consumer-friendly rules for payments in the EU.

These new guidelines are based on the technical work carried out by the European Forum on the Security of Retail Payments (SecuRe Pay).

Among various measures aimed at more efficient and secure Internet payments across the EU, the EBA guidelines require in particular that PSPs carry out strong customer authentication in order to verify customer identity before proceeding with an online payment (one of the key measures to prevent Internet fraud), be it through banking services or Internet card payments.

Achieving a level playing field

Geoffroy Goffinet of the EBA’s Consumer Protection Unit explained: “The EBA guidelines on Internet payments provide the legal basis for achieving a level playing field between all PSPs across the EU. Through this piece of work, the EBA looked into supporting the development of e-commerce across the EU while also ensuring the proper protection of consumers.”

PSPs will also be required to provide assistance and guidance to their customers in relation to the secure use of Internet payment services. In particular, they will have to initiate customer awareness programmes so as to ensure that their end users fully understand the risks and Best Practices involved with Internet payments.

Regarding consumer data protection, the guidelines foresee that PSPs offering card payment services to e-merchants should encourage them not to store any sensitive payment data or require that they have the necessary measures in place to protect such information.

PSPs should also carry out regular checks and, if they become aware that an e-merchant handling sensitive payment data doesn’t have the required security measures in place, they should then take steps to enforce this as a contractual obligation or otherwise terminate the contract.

Amendment of legal frameworks

All competent authorities across the EU are expected to comply with these new guidelines by incorporating them into their supervisory practices and amending their legal framework or their supervisory processes accordingly.

The EBA’s work on this topic results from a concerted effort alongside the European Central Bank to increase the security of retail payments and was developed on the basis of the recommendations issued in January 2013 by the aforementioned SecuRe Pay.

SecuRe Pay was established in 2011 as a voluntary co-operation between supervisors of PSPs and overseers of payment systems and payment schemes/instruments within the EU/EEA. The overriding aim is to facilitate knowledge sharing and understanding around the security of electronic payment services and instruments.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts