Guidelines on security measures for operational and security risks under the PSD2

Status: Final (awaiting translation into the EU official languages)

The Guidelines have been developed in close cooperation with the European Central Bank (ECB), and are in support of the objectives of PSD2, such as strengthening the integrated payments market in the EU, mitigating the increased security risks arising from electronic payments, and promoting equal conditions for competition.

EBA publishes final Guidelines on security measures under PSD2

EBA publishes final Guidelines on security measures under PSD2

12 December 2017

The European Banking Authority (EBA) published today its final Guidelines on security measures for operational and security risks of payments services under the revised Payment Services Directive (PSD2). These Guidelines, which the EBA developed in close cooperation with the European Central Bank (ECB), are in support of the objective of PSD2 of contributing to an integrated payments market across the European Union, promoting equal conditions for competition, and mitigating the increased security risks arising from electronic payments. This, in turn, minimises disruption to users, payment service providers and payment systems. 
 
These Guidelines aim to ensure that payment service providers have in place appropriate security measures to mitigate operational and security risks. These should include the establishment of an effective operational and security risk management framework; processes that detect, prevent and monitor potential security breaches and threats; risk assessment procedures; regular testing; and processes to raise awareness to Payment Service Users on security risks and risk-mitigating actions.
 
Following the three-month consultation period, the EBA decided to further clarify and detail some terms and aspects it had proposed in the draft Guidelines. In particular, the final Guidelines clarify the meaning of proportionality and explain why the EBA is not regulating certification processes of security measures.

Legal basis and background

These Guidelines have been drafted in accordance with Article 95 (3) of Directive (EU) 2015/2366 on payment services in the internal market (PSD2), which mandates the EBA to issue guidelines for the purpose of the managing operational and security risks and with regard to the establishment, implementation and monitoring of the security measures, including certification processes, where relevant. 
 

Press contacts:

Franca Rosa Congiu

E-mail: press@eba.europa.eu - Tel: +44 (0) 207 382 1772