Out-Law / Your Daily Need-To-Know

Guide for interpreting new rules on internet payment security endorsed by ECB

Out-Law News | 06 Feb 2014 | 11:12 am | 2 min. read

Banks and other payment service providers (PSPs) will have to ensure that they have "properly identified and classified" all the sensitive payment data they store, process and transmit when facilitating internet payments to comply with new rules on the security of internet payments.

A new guide backed by the European Central Bank (ECB) outlines how PSPs can comply with those new requirements. The guide says that regulators should check PSPs' security policies to ensure they have categorised data properly.

The ECB endorsed the guidelines that were drawn up by the European Forum on the Security of Retail Payments (60-page / 1.90MB PDF). The guide explains to regulators how they can assess the compliance of PSPs and governance authorities of payment schemes with the ECB's rules on internet payment security, which were finalised early in 2013.

From 1 February 2015, European PSPs that provide internet payment services and the governance authorities of payment schemes, such as for credit transfers and direct debit transactions, will be required to adhere to the new standards the ECB has set.

The new rules, which among other things requires PSPs to appropriately secure against the theft and unauthorised accessing or modification of data used to identify and authenticate customers making internet payments, are designed to protect against fraudulent activity.

As well as checking whether PSPs have identified and classified the sensitive data properly, the guide also encourages regulators to check the "specific procedures and technical measures" PSPs put in place to secure that data.

The guide also makes clear that the exchange of sensitive payment data over the internet by PSPs should only happen where "secure end-to-end encryption is applied between the communicating parties throughout the respective communication session".

Among other things, the guide suggests ways regulators can test whether PSPs meet their obligation to use "strong customer authentication" when initiating internet payments and facilitating access to "sensitive payment data".

The document makes clear that PSPs should require at least two distinct identity proofing elements from users before processing their transactions. In practice this means that authorisation should depend on a mix of users' knowledge, such as a PIN number only they know, together with something they possess, such as a smart card or mobile phone, or even something inherently linked to them, such as a fingerprint, it said.

The guide also explains that the means for authorising payments should be "mutually independent", meaning that if one element of authorisation is compromised it should not enable fraudsters to compromise the integrity of the other. The proofing elements relied upon should also not be able to be "surreptitiously stolen via the internet".

"The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data," it said.

Regulators are also encouraged to check whether independent third parties have given their backing to the security of devices on which authorisation can be sought to make payments and whether they have been tested and adhere to security standards.

Another factor in assessing the strength of customer authentication procedures that regulators are encouraged to assess is whether PSPs confirm whether passwords or other individual payment authorising credentials are correct prior to asking for further authorising information, or whether the accuracy of the credentials input is kept unknown until all elements are entered correctly.

Among the ECB's other new internet payment security recommendations, PSPs will have to use "transaction monitoring mechanisms" prior to giving the final approval for payments to be made. This, it said would help "prevent, detect and block fraudulent payment transactions".

A check of compliance with this requirement may include an assessment on whether the monitoring occurs through a reference to "black lists of compromised or stolen card data" and whether such reference points are kept up to date, according to the new guide.

The ECB's recommendations called on PSPs to explain in their contracts to customers that they might block individual transactions or a payment instrument if there were security concerns and explain how they will notify them of such decisions and how customers can unblock services.

The new guide advises regulators to check whether PSPs block transactions in accordance with "well-defined criteria", such as by assessing customers' payment behaviour or their risk and general profile relative to the level of transaction they seek to make.