Primary tabs


Yes. PayBelgium welcomes the increase of the quantitative threshold used for the higher impact level with respect to the criterion “transactions affected” from 5 million to 15 million.
We agree that the introduction of the condition that the operational incidents must have a duration of longer than one hour may help to ensure that only operational incidents with a significant impact are being captured by the reporting requirement. At the same time, however, we believe that the proposed amendment to use the percentages and the absolute amount thresholds as alternatives (instead of them being cumulative conditions) may have the opposite effect. It may effectively bring in scope again certain operational incidents without a significant impact, even if they have a duration of more than one hour. Indeed, while an incident may or may not reach the threshold of 10% of PSUs being affected, for payment institutions of a certain size it almost always reaches the threshold of 5,000 PSUs affected. As a result, those payment institutions may need to report incidents that – given the relative size of the payment institution and its user base, and despite a duration of more than one hour – may not have a significant impact. The same goes for the criterion “transactions affected”, even if the absolute amount threshold were increased to EUR 500,000. We would therefore suggest to keep the percentage and the absolute amount thresholds as cumulative conditions.
We support an adaptation of the guidelines to ensure they capture all relevant security incidents. However, we believe that creating an additional criterion “breach of security measures” at the lower impact level may again result in certain non-major incidents being captured by the reporting requirement if an incident continues to be classified as major at the lower impact level as soon as three criteria are met (i.e., in this context, breach of security measures + two other criteria). To filter out security incidents that are not major, rather than creating a separate criterion “breach of security measures” for the classification as major, we would suggest to amend the definition of “operational or security incident” to clarify that it will in any event cover situations where there is a breach of security measures. In order for that incident to be qualified as major and, hence, subject to the reporting requirement, it would then still need to meet three criteria at the lower impact level.

We would also like to emphasise that, should the new criterion “breach of security measures” be included (whether at the level of the definition of “operational or security incident” or at the level of the classification of the incident as major) it is important that the final revised guidelines keep the clarification that the 4-hour deadline for submission of the initial report (as required under Guideline 2.7) applies from the moment of classification of the incident (and not the detection of the incident). That clarification is required to allow for a timely internal assessment of the incident against the guidelines.
Yes, we agree with those proposed changes.
Yes, we support the introduction of a standardised file for submission of incident reports. In terms of type of structured file format, there is a preference among our members for MS Excel.
Yes, we agree with those proposed changes.
We generally agree with the proposed changes. However, with respect to the categorisation of the causes of incidents and in particular the category “malicious action” , we are of the view that the sub-category “fraud”, as it is currently defined, may overlap with other sub-categories of malicious action. For instance, phishing (currently included in the definition of fraud) could also be said to fall within the sub-category “information gathering”. We would therefore suggest to refine the definition of fraud so as to make it clear that the sub-category refers to fraud in a strict sense, i.e. an unauthorised use (e.g. unauthorised use of resources, copyright infringements) rather than to an activity that could be said to also fall within another sub-category (e.g. phishing).
Sophie Peeters