In response to the increase in online payment fraud, the European Banking Authority (EBA) published last week a set of minimum security requirements that payment services providers in the European Union are expected to implement by August 1, 2015.
Studies show that in 2012 Internet payment fraud caused losses of €794 million in the EU. In an effort to address the issue, EBA has decided to develop a more secure framework for online payments.
The final version of the guidelines is based on technical input from the European Forum on the Security of Retail Payments (SecuRe Pay), an organization established in 2011 by supervisors of payment service providers and central banks.
The guidelines apply for card payments made on the Internet (including registration of data for virtual wallets), credit transfers, e-mandates, and electronic money transfer. The requirements include general control and security environment recommendations for governance, risk assessment, incident monitoring and reporting, risk control and mitigation, and traceability.
As for specific control and security measures, the guidelines focus on initial customer identification, strong customer authentication, transaction monitoring, delivery of authentication tools, account log-in, and payment card data protection.
Service providers are also instructed to conduct awareness programs to ensure that costumers understand both the risks and best practices of online payments.
Payment service providers might be required to report to competent authorities that they are complying with the new guidelines.
“The EBA guidelines on internet payments provide the legal basis for achieving a level playing field for all PSPs across the EU. Through this piece of work, the EBA looked into supporting the development of e-commerce across the EU, while ensuring proper protection of consumers,” commented Geoffroy Goffinet, of the EBA Consumer Protection Unit.
In July 2013, the European Commission adopted a legislative package proposing a revised Payments Services Directive, also know as PSD2. According to the EBA, the new guidelines will provide a legal basis for online payments in the EU until the PSD2 is finalized.
The European Union has put a lot of effort into ensuring the safety of personal data. The Commission is preparing tougher data protection laws for Internet companies operating in the EU.
The European Union Agency for Network and Information Security (ENISA) is also focusing on personal data security. In November, the agency released two reports on the use and implementation of cryptographic protocols for securing personal data.
The final guidelines on the security of Internet payments (PDF) is available online.