Out-Law News | 01 Feb 2013 | 3:45 pm | 3 min. read
The ECB said that PSPs should adopt a "defence in depth" approach so that attacks to internet payment systems security can be defeated even if those attacks breach some of the "security solutions" that have been installed.
The recommendation was one of 14 the ECB has made in relation to new security standards for internet payments. PSPs and "governance authorities" (GAs) have until 1 February 2015 to implement them, although online retailers, referred to as 'e-merchants', are also "encouraged to adopt" the recommendations too. The ECB had consulted on the measures last year.
"PSPs and payment schemes should have appropriate security solutions in place to protect networks, websites, servers and communication links against abuse or attacks," the ECB said in its report (16-page / 314KB PDF) containing its recommendations. "PSPs and payment schemes should strip the servers of all superfluous functions in order to protect (harden) them and eliminate or reduce vulnerabilities of applications at risk."
"Access by the various applications to the data and resources required should be kept to a strict minimum following the 'least privilege' principle. In order to restrict the use of 'fake' websites (imitating legitimate PSP sites), transactional websites offering internet payment services should be identified by extended validation certificates drawn up in the PSP’s name or by other similar authentication methods," it added.
The ECB's other recommendations included for PSPs to ensure that all online transactions are "traced", that consumers are provided with information about the security risks involved with such transactions and that their identity can be verified.
In addition, consumers should be unable to make internet payments without there being "strong" authentication processes in place, and that consumers are able to utilise "authentication tools and/or software" to initially provide their authentication details "in a secure manner", it added.
PSPs were further recommended to limit the number of times consumers can attempt to log-in and limit the time in which consumers can use the same log-in details, whilst the ECB also called for new rules to be defined on screen 'time outs'. The ECB said that "sensitive payment data", which it defined as information that could be used for fraudulent purposes, "should be protected when stored, processed or transmitted".
The ECB also said that PSPs should utilise "transaction monitoring mechanisms" prior to giving the final approval for payments to be made. This, it said would help "prevent, detect and block fraudulent payment transactions".
Among the other recommendations the ECB has made is for PSPs and payment schemes to adopt stronger governance and risk assessment mechanisms for reviewing their policies on internet payment services security and for identify threats to that security. It also said that PSPs and payment schemes should have incident-specific monitoring and reporting procedures in place for "handling and follow-up of security incidents, including security-related customer complaints" and for reporting cases to regulators where appropriate.
The incident monitoring programme should also involve "acquiring PSPs" to contractually oblige e-merchants to "store, process or transmit sensitive payment data" so that the two organisations can "cooperate on major payment security incidents, including data breaches" and with regulators, the ECB said. The terms of those contracts should also require retailers to adhere to the same standards as PSPs with regards the multiple layering of their IT security defences, it added.
The ECB said that the recommendations do not apply to systems and technology for mobile payments other than in relation to "browser-based payments".
"The establishment of harmonised European recommendations for the security of internet payments is expected to contribute to fighting payment fraud and enhancing consumer trust in internet payments," the ECB said in a report containing its recommendations for the security of internet payments.
"The recommendations outlined ... constitute minimum expectations. They are without prejudice to the responsibility of PSPs, GAs of payment schemes and other market participants to monitor and assess the risks involved in their payment operations, develop their own detailed security policies and implement adequate security, contingency, incident management and business continuity measures that are commensurate with the risks inherent in the payment services provided," it added.
There are already rules governing payment security, such as the Payment Card Industry's Data Security Standards (PCI DSS). The standard was established by the PCI Security Standard Council which comprises major payment card brands including American Express, Visa and MasterCard.
PCI DSS is the main standard related to storing payment card data and it sets out 12 requirements specifying steps which should be taken to ensure payment card data is kept safe both during and after transactions. In 2011 the UK's Information Commissioner made it clear that companies that fail to comply with the PCI DSS requirements risk being fined for breaking data protection laws.