Why merchants and PSPs should prepare for the new payment security Guidelines

Mid-December 2014, the European Banking Authority (EBA) published its final Guidelines on the security of internet payments. These Guidelines are based on the work published by the European Forum on the Security of Retail Payments (SecuRe Pay) and set the minimum security requirements that Payment Services Providers (PSPs) in the EU will be expected to implement by 1 August 2015.

Legally binding?
More stringent requirements may be implemented later under the new Payment Services Directive (PSD2), the idea being that the new Guidelines will bridge the gap until the PSD2 enters into force. The Guidelines are addressed to financial institutions and national competent authorities. The Guidelines are also applicable towards PSP’s. National financial services authorities will have to ensure that the new Guidelines are respected by PSP’s handling online payments for ecommerce merchants etc.

Increasing fraud risk
According to the EBA, fraud related to just internet card payments is high and growing. A lack of security is continuing to undermine the consumer and merchant confidence in payment systems.

The Guidelines’ requirements
The Guidelines set minimum expectations and include the following:
? procedures for risk assessment, incident reporting and traceability of all transactions;
? apply ‘multiple layers of security defences’;
? monitor, handle and report any security incidents they experience;
? provide customers with assistance and guidance on the secure use of their payment service etc, including awareness programmes.
? increase efforts to protect sensitive customer data, for example by not storing payment information.

Strong customer authentication
The core recommendation is that the initiation of internet payments as well as access to sensitive payment should be protected by Strong customer authentication to ensure that it is a rightful user and not a fraudster, initiating a payment. Customers need to be positively identified, comparable to AML requirements. Risk-based approaches are not allowed. Authentication means a procedure that allows the PSP to verify a customer’s identity. ?Strong customer authentication is a procedure based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence: i) something only the user knows, e.g. static password, code, personal identification number; ii) something only the user possesses, e.g. token, smart card, mobile phone; iii) something the user is, e.g. biometric characteristic, such as a fingerprint. In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.

Why should you prepare? Liability + regulatory sanctions
The Guidelines do not comment on possible sanctions. But consent to a payment transaction remains a matter governed by the general principles of civil law. This implies that PSPs, acquirers, issuers and merchants who don’t apply strong authentication may be liable for damages caused by fraud. The liability does not automatically shift to the merchant when he chooses not to authenticate while the PSP is offering it to him. So PSPs and acquirers will have to force merchants to implement authentication and make the necessary updates to their contracts regarding liability consequences, warranties etc. On top of that, the national financial regulator may impose sanctions, e.q. fines, in certain cases of non-compliance.

How should you prepare?
? Develop and implement the Guidelines mentioned above
? Update your insurance policies
? Update your existing contracts with PSP’s, merchants, customers
? Document this towards the regulatory authorities as part of your on-going compliance obligations

Future developments
Market players are confronted with a lot of laws and regulations that should be read together, including the new PSD2 proposal, but also by eIDAS, the new 4th AML Directive and the future General Data Protection. One can expect more technical standardisation and interoperability in order to avoid too many different digital identity systems and passwords for the consumer.

About Edwin Jacobs

Edwin Jacobs is a FinTech lawyer at Time.lex and lecturer at the University of Leuven and Antwerp. Specialties: business law in the information society, negotiation and legal management of ICT-projects, outsourcing, intellectual property rights, electronic invoicing and archiving, copyright, trademarks, privacy/data protection, e-business, electronic contracting.

About Time.lex

Time.lex is a law firm specialised in FinTech, Information and Technology law in the broadest sense, including privacy protection, data and information management, e-business, intellectual property, online media and telecommunications.