ECB releases final Recommendations for the security of internet payments and starts public consultation on payment account access services
The European Central Bank (ECB) today released a comprehensive set of “Recommendations for the security of internet payments”, following a two-month public consultation carried out in 2012. The Recommendations represent the first achievement of the European Forum on the Security of Retail Payments (SecuRe Pay), a voluntary cooperative initiative between relevant authorities from the European Economic Area (EEA) – supervisors of payment service providers and overseers in particular – formed with the objective of facilitating common knowledge and understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations.
Comments from 17 European Union countries were received during the public consultation. The resulting harmonised, minimum security recommendations constitute an important set of guidelines in the fight against payment fraud and aim to increase consumer trust in internet payment services. The core recommendation is that the initiation of internet payments as well as access to sensitive payment data should be protected by strong customer authentication to ensure that it is a rightful user, and not a fraudster, initiating a payment.
The final recommendations, key considerations and best practices specified in the report for the security of internet payments are applicable to governance authorities  of payment schemes and all payment service providers (PSPs)  that provide internet payment services, such as: i) internet card payments, including virtual card payments, as well as the registration of card payment data for use in wallet solutions; ii) the execution of credit transfers on the internet; iii) the issuance and amendment of direct debit electronic mandates; and iv) transfers of electronic money between two e-money accounts via the internet. Other market participants, such as e-merchants, are encouraged to adopt some of the best practices.
The main recommendations include:
- to protect the initiation of internet payments, as well as access to sensitive payment data, by strong customer authentication;
- limit the number of log-in or authentication attempts, define rules for internet payment services session “time out” and set time limits for the validity of authentication;
- establish transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions;
- implement multiple layers of security defences in order to mitigate identified risks;
- provide assistance and guidance to customers about best online security practices, set up alerts and provide tools to help customers monitor transactions.
The detailed recommendations will be integrated into existing oversight frameworks for payment schemes and supervisory frameworks for PSPs and are to be considered as common minimum requirements for internet payment services. The members of the Forum are committed to supporting the implementation of the recommendations in their respective jurisdictions and will strive to ensure effective and consistent implementation within the EEA.
The recommendations should be implemented by PSPs and governance authorities of payment schemes by 1 February 2015. National authorities may wish to define a shorter transition period where appropriate.
Public consultation on recommendations for payment account access services
Now that the internet payments recommendations have been finalised, the Forum will look in detail at the topical issue of access to payment accounts. To support this work, the ECB’s Governing Council has decided to launch a public consultation on draft recommendations for payment account access services, as developed by the Forum. Payment account access services are: i) account information services providing information on several accounts in a consolidated and user-friendly way, and/or ii) payment initiation services initiating payment transactions via a person’s internet-enabled payment account. Since these services are gaining increasing market traction, it is important to establish European-wide minimum security requirements with the objective of contributing to the security of customers making use of these services. All interested parties are invited to comment on the draft “Recommendations for payment account access services” by 12 April 2013.
Both reports, as well as detailed information on how to participate in the new consultation, are available on the ECB’s website.
The governance authority is accountable for the overall functioning of the scheme that promotes the payment instrument in question (cards, credit transfers, direct debits, etc.) and ensuring that all the actors involved comply with the scheme’s rules. Moreover, it is responsible for ensuring the scheme’s compliance with oversight standards. See also European Central Bank (2009), Harmonised oversight approach and oversight standards for payment instruments, February.
As defined in Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC, OJ L 319, 5.12.2007, p. 1.