European Central Bank issues draft recommendations to increase internet payment security

The guidelines called “Recommendations for the security of internet payments” include14 key recommendations that are designed to act as a set of minimum expectations.

The recommendations include key considerations and best practices applicable to all payment service providers (PSPs), as defined in the Payment Services Directive, that provide internet payment services, such as:

•  the execution of card payments on the internet, including virtual card payments, as well as the registration of card payment data for use in wallet solutions;
• (the execution of credit transfers on the internet, or direct debit electronic mandates initiated in relation to the payer’s account, where the payer authorises its PSP over the internet using web-based technology. Owing to the specific nature of card payments, a number of the recommendations are addressed to PSPs offering acquiring and/or issuing services, as well as to governance authorities of card payment schemes. Moreover, other market participants, such as e-merchants, are encouraged to adopt some of the best practices.

The recommendations are based on four guiding principles.

• First, PSPs should perform specific assessments of the risks associated with providing internet payment services, which should be regularly updated in line with the evolution of internet security threats and fraud.
• Second, as a general principle, the internet payment services provided by PSPs should be initiated by means of strong customer authentication. Strong customer authentication is a procedure that enables the PSP to verify the identity of a customer. The use of two or more of the following elements – categorised as knowledge, ownership and inherence – is required: something only the user knows, e.g. password, personal identification number; something only the user possesses, e.g. token,smart card, mobile phone.
• Third, PSPs should implement effective processes for authorising transactions, as well as for monitoring transactions and systems in order to identify abnormal customer payment patterns and prevent fraud.
• Finally, PSPs should engage in customer awareness and education programmes on security issues related to the use of internet payment services with a view to enabling customers to use such services safely and efficiently.

One of proposals included in the ECBs recommendations is the introduction of a liability shift under the Payment Services Directive, under which retailers would accept liability for a fraudulent transaction if the payment provider can show that a payment was properly authorised.

According to ECB the harmonised, minimum security recommendations are expected to contribute to fighting payment fraud and enhancing consumer trust in such services.

All interested parties are invited to comment on the draft “Recommendations for the security of internet payments” by 20 June 2012.