Circular CSSF 15/603 On Security of Internet Payment

Concerned about the increase in frauds related to internet payments, the European Banking Authority (“EBA”) has published guidelines on 19 December 2014 in relation to the security of internet payment (the “EBA Guidelines”) based on the recommendations that had been developed by the European Forum on the Security of Retail Payments (SecuRe Pay) published in January 2013. In order to give effect to the EBA Guidelines within the Luxembourg regulatory framework, the CSSF has issued on 9 February 2015 a Circular 15/603 on security internet payments.

All Payment Services Providers as defined in Article 1 (37) of the Law of 10 November 2009 on payment services (“PSPs”) (the “PSPs Law”) have to apply the EBA Guidelines as from 1 August 2015 until the implementation of any potentially more stringent requirements set in the forthcoming Payment Services Directive 2 to come in 2017/2018.

Scope of the EBA Guidelines:

Who is concerned?

The EBA Guidelines are applicable to all PSPs as defined in Article 1(37) of the PSPs Law namely:

  • credit institutions;
  • electronic money institutions;
  • payment institutions;
  • European and national central banks;
  • Member States or their regional or local public authorities; and
  • post office giro institutions (the Entreprise des Postes et Télécommunications).

Payment integrators offering payment initiation services may also be considered as PSPs.

For which services?

The EBA Guidelines aim at defining common minimum requirements for the following internet payment services:

  • cards payments (including virtual card payment and registration of card payment data for use in wallet solutions);
  • credit transfers;
  • direct debit electronic mandates (e-mandates); and
  • transfer of electronic money (e-money).

On the contrary, the EBA Guidelines are not applicable to:

  • other internet services provided by a PSP via its payment website;
  • payments where the instruction is given by post, telephone order, voice mail or using SMS-based technology;
  • mobile payments other than Internet browser-based payments;
  • credit transfers where a third party accesses the customer’s payment account;
  • payment transactions made by an enterprise via dedicated networks;
  • card payments using anonymous and non-rechargeable physical or virtual pre-paid cards where there is no ongoing relationship between the issuer and the cardholder; and
  • clearing and settlement of payment transactions.

Main requirements of the EBA Guidelines:

The EBA Guidelines aim at boosting e-commerce across the European Union and at strengthening consumers’ confidence in internet payments. EBA Guidelines are part of the European framework for the effective implementation of a Digital Single Market. In that respect, Regulation (EU) 910/2014 regarding electronic identification and trust services for electronic transactions in the internal market was adopted on 23 July 23 2014. Most of the provisions of this Regulation will be applicable as of 1 July 2016. However some others will only be applicable after the adoption of implementing acts by the European Commission.

The EBA Guidelines first provide for definitions in addition to the definitions provided in the Payment Services Directive (such as Authentication, Strong Customer Authentication or Credentials). Then the EBA Guidelines lists the set of minimum requirements that should be complied with by PSPs as from 1 August 2015. EBA Guidelines establish measures falling within three main categories: General control and security environment, Specific control and security measures for internet payments and Customer awareness, education and communication. Each category deals with many sub-topics, as detailed below:

  • General control and security environment:

- Governance: a formal security policy for internet payments services should be implemented by PSPs and regularly reviewed. The security policy shall define security objectives, the risk appetite as well as roles and responsibilities. It should also implement some reporting measures.

- Risk Assessment: PSPs should carry out and document detailed risk assessments for internet payment and related services, notably with respect to access to, use and storage of sensitive payment data.

- Incident monitoring and reporting: PSPs should establish a consistent and integrated monitoring of security incidents, and have in place a procedure for reporting incidents to management and/or to the competent authorities.

- Risk control and mitigation: PSPs should implement security measures in order to mitigate identified risks, incorporating multiple layers of security defense (“defense in depth”). Attention shall be paid to the adequate segregation of duties in information technology environments. Appropriate security solutions to protect networks, websites, servers and communication links against abuse or attacks are required. The security measures shall be tested and periodically audited to ensure their robustness and effectiveness. PSPs must ensure that e-merchants comply with the required security measures. Otherwise failure to do so may impact their contractual relationship.

- Traceability: PSPs shall be equipped with processes in order to appropriately trace all transactions.

  • Specific control and security measures for internet payments:

- Initial customer identification, information: customers should be properly identified in line with the European anti-money laundering legislation and confirm their willingness to make internet payments before being granted access to such services. PSPs should give prior information to customers about the requirements for performing secured internet payment transactions and the inherent risks. Customers should also be contractually informed that the PSP may block a specific transaction or the payment instrument on the basis of security concerns.

- Strong customer authentication: authentication is key to the prevention of Internet fraud. PSPs are requested to implement a strong customer authentication procedure in order to verify the user identity prior to the initiation of a payment order. This procedure is defined by the EBA Guidelines as a procedure based on the use of two or more of the following elements: (a) something only the user knows (such as a password), (b) something only the user possesses (such as a token or a mobile phone) and (c) something that defines the user (such as fingerprints). At least one element should be non-reusable, non-replicable (except for (c)) and not capable of being surreptitiously stolen via the internet.

- Enrolment for, and provision of, authentication tools and/or software delivered to the customer: customer enrolment for and the initial provision of the authentication tools required to use the internet payment service and/or the delivery of payment-related software to customers should be carried out in a safe and trusted environment.

- Log-in attempts, session time out, validity of authentication: PSPs should limit the number of log-in or authentication attempts, define rules for internet payment session “time -out” and set time limits for the validity of authentication.

- Transaction monitoring: mechanisms designed to prevent, detect and block fraudulent payment transactions before the PSP’s final authorization should be implemented. Suspicious or high-risk transactions should be subject to a specific screening and evaluation procedure.

- Protection of sensitive data: PSPs should ensure appropriate security to sensitive payment data when stored, processed or transmitted. PSPs shall take measures against theft and unauthorized access or modification with regard to data used to identify and authenticate customers. They should also encourage their e-merchants not to store any sensitive payment data or contractually require them to have the necessary measures in place to protect these data.

  • Customer awareness, education and communication:

- Customer education and communication: PSPs should provide assistance and guidance to customers with regard to the secure use of the internet payment services. They should communicate with their customers in such a way as to reassure them of the authenticity of the messages received (i.e. through a secured channel). They should inform customers about updates in security procedures, and provide them with assistance for all questions, complaints, requests for support and notifications of anomalies regarding internet payments. They should also initiate customer education and awareness programs.

- Notification, setting of limits: PSPs should set limits for internet payment services (e.g. a maximum amount for each individual payment).

- Customer access to information on the status of payment initiation and execution: PSPs should confirm to their customers the payment initiation and provide them in good time with the information necessary to check whether the payment transaction has been correctly initiated/executed.

Best practice examples:

The EBA Guidelines also provide for many examples of best practices that PSP are encouraged, but not required to adopt. As examples: the security policy shall be laid down in a dedicated document; the PSPs could sign a dedicated service contract for conducting internet payment transactions with the customer, rather than a broader general service contract.