Forewords
Why is it that US gets so many breaches and Europe doesn’t? That’s not the right question. The right question is why is that US is reporting their breaches and Europe isn’t? Because Europe gets them. When European organisation will start to report their breaches we will probably see a spike in the number of breaches and wonder ourselves Where are all these breaches coming from so suddenly? They have always been there hidden under the carpet. The majority of the European regulation impose to report “significant” breaches. But what is the definition of a “Significant” breach? and there isn’t… so there is no significant breaches reported…
The next newsletters will address major European Guidelines and regulations in the field of data protection. This first issue covers the EBA Guidelines on Secure Internet Payment.
The next newsletters will address major European Guidelines and regulations in the field of data protection. This first issue covers the EBA Guidelines on Secure Internet Payment.
What is it?
Effective since August 2015 the EBA Guidelines on Security Internet Payment sets the minimum security requirements in the field of the security of internet payment to help protect European Consumers against payment fraud on the Internet.
Who is EBA?
The European Banking Authority (EBA) is an independent EU Authority which works to ensure effective and consistent prudential regulation and supervision across the European banking sector. Its overall objectives are to maintain financial stability in the EU and to safeguard the integrity, efficiency and orderly functioning of the banking sector.The Authority also plays an important role in promoting convergence of supervisory practices and is mandated to assess risks and vulnerabilities in the EU banking sector.
Who is concerned by EBA?
It applies to financial institutions operating within European Central region and offering payment services through the internet including the execution of card payment and electronic money transfer. Also concerned by these guidelines are national authorities in each EU Member State that are competent for the protection of consumers' rights when dealing with credit or financial institutions.
Is it Mandatory?
EBA expects all competent authorities and financial institutions to whom guidelines are addressed to comply with guidelines. Competent national authorities to whom guidelines apply should comply by incorporating them into their supervisory practices as appropriate and should ensure the application of these guidelines by the financial institutions under their supervision. Furthermore competent authorities must notify the EBA as to whether they comply or intend to comply with these guidelines.
What are the guidelines?
There are 14 requirements addressing two major aspects of the protection of payment transaction, namely: Data security and fraud mitigation.
Data Security Guidelines
Data Security Guidelines
- Guideline 1: Have proper documented and regularly reviewed security policy.
- Guideline 2. Carry out and document a risk assessment at least once a year.
- Guideline 3: Have a consistent incident management procedure, including monitoring and reporting, notification to authorities.
- Guideline 4: Ensure segregation of duties, separation of environment (test,dev, prod), principle of least privilege, identity and access management, network protection, hardening and certificate validation. This guideline also addresses the access restriction to sensitive payment data, logical and physical components, logging audit trails. Also addresses is the data minimisation (data should be kept at the absolute minimum level) and finally the periodic testing and auditing of the security measures.
- Guideline 9: Implement log-in attempts limit, lock out, session time-out
- Guideline 11: Protect (encrypt) sensitive payment data and data used to identify and authenticate customers when stored, processed or transmitted.
What about PCI-DSS Compliant Organisations?
It is not a coincidence that implementation of the above aspects are covered in details in PCI DSS as it was the main source of inspiration of EBA. So financial institutions applying PCI DSS have the assurance to meet the EBA data security guidelines.
How is it affecting service providers?
Whenever a financial institution outsource functions related to the internet payment to service providers, the contract should include provisions requiring compliance with the principles set in these guidelines.
How is it affecting e-merchants?
Acquirer should encourage their e-merchants NOT to store any sensitive payment data or should contractually require the e-merchants to have the necessary measures in place to protect these data. In case of non-compliance the acquirer should terminate the contract.
Fraud mitigation
The following guidelines aim to mitigate the fraud of payment transaction.
- Guideline 5: Tracing and logging all payment transactions and have tools to analyse the log files.
- Guideline 6: Proper diligence procedure for new customers before granting them access to the service.
- Guideline 7: Strong customer authentication for the customer’s autorisation of internet payment transactions.
- Guideline 8: A process associated to the delivery of authentication tools and payment-related software
- Guideline 10: Detect and block fraudulent payment transactions
- Guideline 12: Customer education and communication for a secure use of the internet payment services.
- Guideline 13: Setting limits for internet payment services
- Guideline 14: Provide Customers with access to information on the status of the payment initiation and execution
Resources
RSS Feed
