The European Central Bank (ECB) has released a comprehensive set of “Recommendations for the security of internet payments”, following a two-month public consultation carried out in 2012. The core recommendation is that the initiation of Internet payments as well as access to sensitive payment data should be protected by strong customer authentication to ensure that it is a rightful user, and not a fraudster, initiating a payment.
The Recommendations represent the first achievement of the European Forum on the Security of Retail Payments (SecuRe Pay) a voluntary cooperative initiative between relevant authorities from the European Economic Area (EEA) – supervisors of payment service providers and overseers in particular – formed with the objective of facilitating common knowledge and understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations.
During the consultation, 17 EU countries made comments, which resulted in harmonized minimum-security recommendations. The final recommendations, key considerations and best practices specified in the report for the security of internet payments are applicable to governance authorities of payment schemes and all payment service providers (PSPs) that provide internet payment services, such as: internet card payments . Other market participants, such as e-merchants, are encouraged to adopt some of the best practices.
In addition to stronger customer authentication measures, the ECB recommended that the number of log-in or authentication be limited and asked that rules for Internet payment services session “time out” be defined. It also asked to establish transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions and to implement multiple layers of security defences in order to mitigate identified risks.
The detailed recommendations will be integrated into existing oversight frameworks for payment schemes and supervisory frameworks for PSPs and are to be considered as common minimum requirements for internet payment services. The members of the Forum are committed to supporting the implementation of the recommendations in their respective jurisdictions and will strive to ensure effective and consistent implementation within the EEA.
The recommendations should be implemented by PSPs and governance authorities of payment schemes by 1 February 2015.