Our previous newsletter covered the EBA guidelines on Secure Internet Payment. With this one let's get insight into the bible of how you do business in Europe in the payment space, namely: Payment Service Directive V2 and more specifically on the security requirements for payment institutions and payment service providers.
What are the objectives?
When is it applicable?
To whom is it applicable?
What are the penalties?
What are the security related requirements for payment institution and payment service providers?
Security framework: They should establish a framework with appropriate mitigation measures and control mechanisms to manage the operational and security risks, relating to the payment services provided.
Security Policy: They must establish and document a security policy,
Incident management: They must maintain effective incident management procedures including for the detection and classification of major operational and security incidents.
Breach/Incident Notification: In the case of a “major" operational or security incident, payment service providers shall, without undue delay, notify the competent authority in the home Member State of the payment service providers.
Where the incident has or may have an impact on the financial interests of their payment service users, the payment service providers shall, without undue delay, inform their payment service users of the incident and of all measures that they can take to mitigate the adverse effects of the incident.
Note: There is no clarification of what a major incident could be...
Communication with competent authorities: They must provide the competent authorities of the home Member State with:
- A description of the procedure in place to monitor, handle and follow up a security incident and security related customer complaints, including an incidents reporting mechanism;
- Their security policy, detailed risk assessment and description of security control and mitigation measures. Those measures shall take into account EBA’s guidelines on secure Internet payment (See PCI #42)
- Regular (on an annual basis, or at shorter intervals as determined by the competent authority) updated assessment of their security risks and the measures that they have taken in response to those risks.
- A description of their audit arrangements
- The secure procedure for notification of the payment service users in the event of suspected or actual fraud or security threats
- Report any major security incident.
Strong authentication: They must apply strong customer authentication where the payer: accesses its payment account online; initiates an electronic payment transaction; carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
Protection of user credentials: They shall ensure that the personalised security credentials of the payment service user are not, with the exception of the user and the issuer of the personalised security credentials, accessible to other parties and that they are transmitted by the payment initiation service provider through safe and efficient channels;
Handling of Personal data - Where personal data is processed, the precise purpose should be specified, the relevant legal basis referred to, the relevant security requirements laid down in Directive 95/46/EC complied with, and the principles of necessity, proportionality, purpose limitation and proportionate data retention period respected.