“payment related services”
The definition of payment related services, is very wide and it should be limited to only those “technical supporting tasks” which failure would affect failure of payment services .
“major operational or security incident”
We think that definition of a ‘major operational or security incident’ (‘A singular event or a series of linked events which have or may have a material adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services’) should not include events which may have only potentially negative impact on the provided payment services. Otherwise the payment service providers will have to face the fact that any events which may cause the actual incident will have to be reported to the relevant authority as the actual incident (despite the fact that the negative impact on payment services will be only potential).
In our view Reputational impact shouldn’t be consider as a criterion for assessing the materiality of an operational or security incident. Reputation is a very blurry category, with a lot of uncertainty how to measure the potential impact to reputation.
Additionally we believe that “High level of internal escalation” and “crisis mode” may have a negative impact at the PSPs internal communication processes. It is easy to imagine that such a criterion might create the culture in which reporting are discourage.
An obligation to report an incident within the first 2 hours from the moment the incident was first detected makes it almost impossible to fulfil. Reporting template is very detailed (with questions like What is the specific issue? - How it happened? - How did it evolve?). Payments service providers should focus on the incident itself, not on reporting, from compliance perspective the most important task is to handle incident and then when everything is on the right track prepare necessary reporting, lesson learnt , etc.