CSSF publishes 15/603 to enforce EBA guidelines on the security of internet payments

Enforcement of new requirements on the security of internet payments as from August 1st, 2015

On 9 February 2015, the CSSF issued Circular 15/603 titled “Security of internet payments”, which seeks to implement the EBA Guidelines EBA/GL/2014/12 into the Luxembourg regulatory framework.

The guidelines apply to the provision of payment services offered through the internet by Payment Service Providers (PSPs as defined in the Payment Services Directive), in particular banks, payment institutions, electronic money institutions, and post office institutions. In-scope internet payment services include the execution of card payments on the Internet, the execution of credit transfers on the Internet, the issuance and amendment of direct debit electronic mandates, and transfers of e-money between two e-money accounts.

As from August 1st, 2015, PSPs shall meet 53 requirements, which constitute harmonised minimum security requirements in the fight against payment fraud and aim to increase consumer trust in Internet payment services. The core recommendation is that the initiation of internet payments as well as access to sensitive payment data should be protected by strong customer authentication to ensure that it is a rightful user, and not a fraudster, initiating a payment. Also, the guidelines encourage to adopt 13 best practices in addition to the above mentioned requirements.

Circular 15/603 describes 53 requirements and 13 recommendations embracing the following topics:

• Governance
• Risk assessment
• Incident monitoring and reporting
• Risk control and risk mitigation
• Traceability
• Initial customer identification, information
• Strong customer authentication
• Enrolment for, and provision of, authentication tools and/or software delivered to the customer
• Log-in attempts, session time out, validity of authentication
• Transaction monitoring
• Protection of sensitive payment data
• Customer education and communication
• Notifications, setting of limits
• Customer access to information on the status of payment initiation and execution

How can Deloitte help?

Deloitte assists organisations in addressing compliance of Internet payments implementations by in-depth analysis of IT regulatory issues and proposition of pragmatic technical and organisational solutions:

• Compliance analysis: gap analysis of Internet payments implementations against regulatory requirements
• Practical recommendations to achieve and sustain IT compliance
• Assistance in communications with the Regulator: preparation or quality review of CSSF application files and participation in meetings with the Regulator