Forewords
The next newsletters will address major European Guidelines and regulations in the field of data protection. This first issue covers the EBA Guidelines on Secure Internet Payment.
What is it?
Who is EBA?
Who is concerned by EBA?
Is it Mandatory?
What are the guidelines?
Data Security Guidelines
- Guideline 1: Have proper documented and regularly reviewed security policy.
- Guideline 2. Carry out and document a risk assessment at least once a year.
- Guideline 3: Have a consistent incident management procedure, including monitoring and reporting, notification to authorities.
- Guideline 4: Ensure segregation of duties, separation of environment (test,dev, prod), principle of least privilege, identity and access management, network protection, hardening and certificate validation. This guideline also addresses the access restriction to sensitive payment data, logical and physical components, logging audit trails. Also addresses is the data minimisation (data should be kept at the absolute minimum level) and finally the periodic testing and auditing of the security measures.
- Guideline 9: Implement log-in attempts limit, lock out, session time-out
- Guideline 11: Protect (encrypt) sensitive payment data and data used to identify and authenticate customers when stored, processed or transmitted.
What about PCI-DSS Compliant Organisations?
How is it affecting service providers?
How is it affecting e-merchants?
Fraud mitigation
- Guideline 5: Tracing and logging all payment transactions and have tools to analyse the log files.
- Guideline 6: Proper diligence procedure for new customers before granting them access to the service.
- Guideline 7: Strong customer authentication for the customer’s autorisation of internet payment transactions.
- Guideline 8: A process associated to the delivery of authentication tools and payment-related software
- Guideline 10: Detect and block fraudulent payment transactions
- Guideline 12: Customer education and communication for a secure use of the internet payment services.
- Guideline 13: Setting limits for internet payment services
- Guideline 14: Provide Customers with access to information on the status of the payment initiation and execution