The European Banking Authority (EBA) released ‘Final guidelines on the security of internet payments’ (Guidelines). These Guidelines are based on the work published by the European Forum on the Security of Retail Payments (SecuRe Pay) and set the minimum security requirements that Payment Services Providers (PSPs) in the EU will be expected to implement by 1 August 2015.
Internal payment services covered in the scope of the Guidelines include the execution of card payments; the execution of credit transfers; the issuance and amendment of debit electronic mandates; and transfers of electronic money between two e-money accounts.
In particular, the Guidelines emphasise the importance of PSPs roles in providing assistance and guidance to their customers in relation to the secure use of Internet payment services. Among other things, the EBA requests that services should adopt formal security policies; conduct and regularly update security risk assessments; and strengthen customer identification, authentication and enrolment process.
Included within the Guidelines is a list of best practice examples which PSPs are encouraged, but not required, to adopt. One best practice example for strong customer authentication includes ensuring that there are elements linking the customer authentication to a specific amount and payee. The technology used in linking the two sets of data should be tamper-resistant and could help to provide customers with increased certainty when authorising payments.
These Guidelines are particularly welcome in light of the high levels of fraud on Internet payments. Latest reports from the ECB suggest that card fraud on Internet payments alone caused €794 million of losses in 2012 (a growth of 21.2% from 2011).