Guidelines on internet payments security

Status: Final and translated into the EU official languages

The Guidelines on the security of internet payments are based on the recommendations of the European Forum on the Security of Retail Payments (SecuRe Pay), a voluntary cooperative initiative set up by the ECB and comprising relevant authorities from the European Economic Area (EEA) with the aim of facilitating understanding of issues related to the security of electronic retail payment services.

EBA outlines its upcoming initiatives for the regulation of retail payments

EBA outlines its upcoming initiatives for the regulation of retail payments

21 May 2015

The EBA announced today that it is getting ready to develop requirements that will harmonise regulatory and supervisory practices to ensure secure, easy and efficient payment services across the EU. The EBA will do so by fulfilling mandates under the upcoming revised Payments Services Directive (PSD2) and the Interchange Fee Regulation (IFR). It has also issued final Guidelines for the security of internet payments that are applicable from 1 August 2015.
 
The legislative framework for retail payments in the European Union (EU) has seen important developments in recent months, such as the advancements in the negotiations for the revised Payments Services Directive (PSD2) and the finalisation of the EU Regulation on Interchange Fees (IFR). The European Commission, Council and Parliament are currently in the final negotiation stages of the PSD2 and once the Directive is agreed upon, the EBA will approach the industry and other interested parties to gather their input at an early stage of the regulatory development process.
 
The PSD2 mandates for the EBA are expected to include requirements to improve operational and security requirements for payment services. The EBA will develop this work in close cooperation with the European Central Bank (ECB), through the Forum for the Security of Retail Payments (SecuRe Pay) that the ECB and the EBA are chairing jointly.
 
As the security requirements under the PSD2 are not expected to come into force until 2018/9, the EBA had issued, on 18 December 2014, its final Guidelines on the security of internet payments. The requirements are a response to increases in fraud that regulators have observed with this particular payment method. The Guidelines represent the first output of the cooperation between the EBA and ECB on retail payments; have taken two years to develop; are applicable as of 1 August 2015; and will apply until the PSD2 requirements come into force in 2018/9.
 
The Guidelines will set minimum security requirements for payment services providers across the EU, and will provide enhanced protection of EU consumers against payment fraud on the Internet. Dirk Haubrich, Head of the EBA's Consumer Protection, Financial Innovation and Payments Unit at the EBA explained that: "This work will ensure increased confidence in internet payments for consumers and firms in the EU, and is aimed at allowing this sector of the payments market to continue to grow".
 
The Guidelines are based on the "comply or explain" principle, which means that national authorities have to notify the EBA within two months of the publication of the translations whether they will comply with the Guidelines or otherwise explain their reason for non-compliance. The EBA published the translations on 5 March 2015 and has made today available a summary table of the compliance notifications received
 
While the Guidelines are a conversion of the requirements that had previously been developed by the SecuRe Pay Forum, the EBA also clarified that other initiatives that had been started by SecuRe Pay – such as SecuRe Pay's consultation on draft security requirements for mobile payments, or its early views on third party access to payment accounts – will not be converted into EBA Guidelines. Instead, SecuRe Pay will from now on provide input to the EBA and the ECB for the development of the security mandates under the PSD2, and will do so to the timelines foreseen by the PSD2.
 
Finally, the EBA expects to start its work on Regulatory Technical Standards (RTS) foreseen by the EU Interchange Fee Regulation (IFR). The EBA will develop requirements to ensure that payment card schemes and processing entities are independent from one another in terms of accounting, organisation and decision making processes. The industry's views on this mandate will also be sought at an early stage, as the EBA is planning to approach relevant market participants during summer 2015. The EBA will develop this mandate in close cooperation with the ECB and pointed out that its finalisation may be later than the six months foreseen in the IFR.
 

Press contacts:

Franca Rosa Congiu

E-mail: press@eba.europa.eu - Tel: +44 (0) 207 382 1772

EBA issues guidelines to strengthen requirements for the security of internet payments across the EU

EBA issues guidelines to strengthen requirements for the security of internet payments across the EU

19 December 2014

The European Banking Authority (EBA) published today its final Guidelines on the security of internet payments, which set the minimum security requirements that Payment Services Providers in the EU will be expected to implement by 1 August 2015. Concerned about the increase in frauds related to internet payments, the EBA decided that the implementation of a more secure framework for internet payments across the EU was needed. These Guidelines are based on the technical work carried out by the European Forum on the Security of Retail Payments (SecuRe Pay).
 
Among various measures aimed at more efficient and secure internet payments across the EU, the EBA guidelines require in particular that Payment Service Providers (PSPs) carry out strong customer authentication in order to verify the customer identity before proceeding with an on-line payment, one of the key measures to prevent internet fraud, be it through banking services or internet card payments. These Guidelines, which are based on the technical work carried-out by SecuRe Pay -the voluntary cooperation forum reuniting central banks and supervisors of Payment Service Providers -, will be applicable to all PSPs across the EU in a consistent manner as of August 2015.
 
The EBA decided to issue these Guidelines because of the rising levels of fraud observed in internet payments. Latest pan-EU figures showed that fraud on card internet payments alone caused €794 million of losses in 2012 (up by 21.2% from the previous year). A timely and consistent regulatory response was therefore needed while waiting for the revision of the Payment Services Directive which aims at creating a more secure, competitive and consumer-friendly rules for payments in the EU. 
 
Geoffroy Goffinet at the EBA Consumer Protection Unit explained that: "the EBA guidelines on internet payments provide the legal basis for achieving a level playing field for all PSPs across the EU. Through this piece of work, the EBA looked into supporting the development of e-commerce across the EU, while ensuring proper protection of consumers."
 
PSPs will also be required to provide assistance and guidance to their customers in relation to the secure use of internet payment services. In particular, they will have to initiate customer awareness programmes so as to ensure that their users understand risks and best practices in internet payments. 
 
Regarding consumer data protection, the Guidelines foresee that PSPs offering card payment services to e-merchants should encourage them not to store any sensitive payment data or require that they have the necessary measures in place to protect these data. PSPs should also carry out regular checks and if they become aware that an e-merchant handling sensitive payment data does not have the required security measures in place, they should take steps to enforce this as a contractual obligation or terminate the contract.
 
All competent authorities across the EU are expected to comply with these Guidelines by incorporating them into their supervisory practices and amending their legal framework or their supervisory processes accordingly.
 

Note to the editors

These Guidelines will provide a solid legal basis for the security of internet payments across all EU Member States while the revised Payment Services Directive (known as PSD2) is finalised in coming years. A consultation on the implementation of these Guidelines was launched in October 2014.
 
The EBA work on this topic results from a concerted effort with the European Central Bank (ECB) to increase the security of retail payments and was developed on the basis of the recommendations issued in January 2013 by the European Forum on the Security of Retail Payments (SecuRe Pay). SecuRe Pay was established in 2011 as a voluntary cooperation between supervisors of Payment Service Providers (PSPs) and overseers of payment systems and payment schemes/instruments within the EU/EEA with the aim of facilitating knowledge sharing and understanding of security of electronic payment services and instruments. 
 

Press contacts:

Franca Rosa Congiu

E-mail: press@eba.europa.eu - Tel: +44 (0) 207 382 1772