ECB aims to upgrade internet payments security via new recommendations

The final recommendations, considerations and practices are aimed at governance authorities of payment schemes and all payment service providers (PSPs) such as internet card payments, including virtual card payments, as well as the registration of card payment data for use in wallet solutions, the execution of credit transfers on the internet, the issuance and amendment of direct debit electronic mandates and transfers of electronic money between two e-money accounts via the internet.

The main recommendations include:
• protect the initiation of internet payments, as well as access to sensitive payment data, by strong customer authentication;
• limit the number of log-in or authentication attempts, define rules for internet payment services session “time out” and set time limits for the validity of authentication;
• establish transaction monitoring mechanisms to prevent, detect and block fraudulent payment transactions;
• implement multiple layers of security defenses in order to mitigate identified risks;
• provide assistance and guidance to customers about best online security practices, set up alerts and provide tools to help customers monitor transactions.

The detailed recommendations will be integrated into existing oversight frameworks for payment schemes and supervisory frameworks for PSPs and are to be considered as common minimum requirements for internet payment services. The members of the Forum are committed to support the implementation of the recommendations in their respective jurisdictions. They are expected be implemented by PSPs and governance authorities of payment schemes by 1st of February 2015.

The recommendations follow a two-month public consultation carried out in 2012 and the first achievement of the European Forum on the Security of Retail Payments (SecuRe Pay), a voluntary cooperative initiative between authorities from the European Economic Area (EEA), supervisors of payment service providers and overseers in particular, aimed at facilitating common knowledge and understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations.