Payment Services Directive - EBA issues guidelines to strengthen requirements for the security of internet payments across the EU
The EBA published on 19 December 2014 its final Guidelines on the security of internet payments, which set the minimum security requirements that Payment Services Providers (PSP) in the EU will be expected to implement by 1 August 2015.
The revision of the Payment Services Directive aims at creating a more secure, competitive and consumer-friendly rules for payments in the EU.
Due to the continually high levels of fraud observed on internet payments, a delay in the implementation of the guidelines until the transposition of the PSD 2 in 2017/18 is not a plausible option. Therefore, the EBA decided to issue these guidelines which set the minimum security requirements that Payment Services Providers (PSP) in the EU will be expected to implement by 1 August 2015.
The EBA guidelines on internet payments cover the following fields:
General control and security environment
- Risk assessment
- Incident monitoring and reporting
- Risk control and mitigation
Specific control and security measures for internet payments
- Initial customer identification, information
- Strong customer authentication
- Enrolment for, and provision of, authentication tools and/or software delivered to the customer
- Log-in attempts, session time out, validity of authentication
- Transaction monitoring
- Protection of sensitive payment data
Customer awareness, education, and communication
- Customer education and communication
- Notifications, setting of limits
- Customer access to information on the status of payment initiation and execution
These guidelines should be implemented shortly in Luxembourg regulatory framework.