Security Experts:

Connect with us

Hi, what are you looking for?



New Security Guidelines For Online Payments in the EU

In response to the increase in online payment fraud, the European Banking Authority (EBA) published last week a set of minimum security requirements that payment services providers in the European Union are expected to implement by August 1, 2015.

In response to the increase in online payment fraud, the European Banking Authority (EBA) published last week a set of minimum security requirements that payment services providers in the European Union are expected to implement by August 1, 2015.

Studies show that in 2012 Internet payment fraud caused losses of €794 million in the EU. In an effort to address the issue, EBA has decided to develop a more secure framework for online payments.

The final version of the guidelines is based on technical input from the European Forum on the Security of Retail Payments (SecuRe Pay), an organization established in 2011 by supervisors of payment service providers and central banks.

The guidelines apply for card payments made on the Internet (including registration of data for virtual wallets), credit transfers, e-mandates, and electronic money transfer. The requirements include general control and security environment recommendations for governance, risk assessment, incident monitoring and reporting, risk control and mitigation, and traceability.

As for specific control and security measures, the guidelines focus on initial customer identification, strong customer authentication, transaction monitoring, delivery of authentication tools, account log-in, and payment card data protection.

Service providers are also instructed to conduct awareness programs to ensure that costumers understand both the risks and best practices of online payments.

Payment service providers might be required to report to competent authorities that they are complying with the new guidelines.

“The EBA guidelines on internet payments provide the legal basis for achieving a level playing field for all PSPs across the EU. Through this piece of work, the EBA looked into supporting the development of e-commerce across the EU, while ensuring proper protection of consumers,” commented Geoffroy Goffinet, of the EBA Consumer Protection Unit.

In July 2013, the European Commission adopted a legislative package proposing a revised Payments Services Directive, also know as PSD2. According to the EBA, the new guidelines will provide a legal basis for online payments in the EU until the PSD2 is finalized.

The European Union has put a lot of effort into ensuring the safety of personal data. The Commission is preparing tougher data protection laws for Internet companies operating in the EU.

The European Union Agency for Network and Information Security (ENISA) is also focusing on personal data security. In November, the agency released two reports on the use and implementation of cryptographic protocols for securing personal data.

The final guidelines on the security of Internet payments (PDF) is available online.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Big-game malware hunters at Volexity are shining the spotlight on a sophisticated Chinese APT caught recently exploiting a Sophos firewall zero-day to plant backdoors...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...


The Federal Communications Commission (FCC) is proposing tighter rules on the reporting of data breaches by wireless carriers.The updated rules, the FCC says, will...