Out-Law / Your Daily Need-To-Know

New payment security guidelines to apply to online retail from August 2015

Out-Law News | 22 Oct 2014 | 9:57 am | 2 min. read

Online retailers and payment service providers (PSPs) in the EU could have to ensure that the processing of consumer transactions adheres to stiff new internet payment security guidelines from 1 August next year.

The European Banking Authority (EBA) said its proposed new internet payment security guidelines (33-page / 321KB PDF) "are expected to contribute to fighting payment fraud and enhancing consumer trust in internet payments". National regulators are expected to apply the new guidelines by "incorporating them into their supervisory practices as appropriate", the EBA said. Regulators are not bound into overseeing compliance with the guidelines but they would have to justify to the EBA any decision not to apply them.

Under the draft guidelines, PSPs that outsource "functions related to the security of the internet payment services" would have to ensure that their suppliers are contractually obliged to adhere to the EBA's guidelines.

Online retailers would be required to "implement security measures in their IT infrastructure" that correspond to some of the rules contained in the EBA guidance where they store, process or transmit sensitive payment data.

The EBA's proposals are an adaptation of internet payment security guidelines previously developed by the European Forum on the Security of Retail Payments (SecuRe Pay) and endorsed by the European Central Bank. The new draft guidelines correspond to rules set out in the existing EU Payment Services Directive (PSD), it said.

However, whilst the EBA is consulting on draft guidelines that broadly reflect the ECB's endorsed guidelines, it has asked stakeholders whether stiffer guidelines should instead be adopted and brought into force next August. The purpose of this would be to reflect "stronger security standards" that could be brought in at a later date under reforms to the PSD (PSD2), it said.

"One of the more recent developments in the negotiations indicate that the final PSD2 text may potentially include provisions that require stronger security standards than the EBA guidelines, which would come into force with the transposition date of the PSD2 or later," the EBA said in its consultation paper.

"If this scenario were to materialise, the EBA would like to hear respondents’ views on … whether the final EBA guidelines … should: enter into force, as consulted, on 1 August 2015 … which would mean that they would apply during a transitional period until stronger requirements enter into force at a later date under PSD2 (i.e. a two-step approach); or should anticipate these stronger PSD2 requirements and, once the PSD2 negotiations have concluded, include them in the final guidelines … that enter into force on 1 August 2015, the substance of which would then continue to apply under PSD2 (i.e. a one-step approach)," it said.

The EBA's proposed new guidelines, which apply to payments in a mobile web browser but not via mobile apps, are technology-neutral and are based on four underlying principles.

The watchdog said payment service providers (PSPs) must "perform specific assessments of the risks associated with providing internet payment services", ensure payments cannot be initiated or sensitive payment data accessed without "strong customer authentication", use "effective processes for authorising transactions, as well as for monitoring transactions and systems in order to identify abnormal customer payment patterns and prevent fraud" and help raise customer awareness of payment security issues.

"The guidelines constitute minimum expectations. They are without prejudice to the responsibility of PSPs to monitor and assess the risks involved in their payment operations, develop their own detailed security policies and implement adequate security, contingency, incident management and business continuity measures that are commensurate with the risks inherent in the payment services provided.

Separately, the ECB has announced a new role for SecuRe Pay (3-page / 127KB PDF). The body will "facilitate a common knowledge and understanding with respect to the safety of electronic payment services and instruments provided within [the EU or European Economic Area (EEA)], or by payment systems, payment schemes or payment service providers located in an EU/EEA country", it said.