SlideShare a Scribd company logo

PSP Payment Security Guidelines

J
Joanna Galajda, LL.M.
1 of 2
Download to read offline
The Recommendation presents the FSA’s expectations towards payment service providers (‘PSPs’) in terms of adequate and safe rules for online payment solutions, as well as adequate control mechanisms in this field. The Recommendations are based on European standards, in particular the ‘Guidelines on the Security of Internet Payments’ issued by the European Forum on the Security of Retail Payments (SecuRe Pay), that have been in force since 1 February 2015, and the ‘Guidelines on the security of internet payments’ (EBA/GL/2014/12), issued by the European Banking Authority (‘EBA’), and in force since 1 August 2015. The Recommendation is in line with the European guidelines, enhancing certain recommendations, which concerns in particular the provisions on secure access to customers’ payment accounts by access devices. At the same time, the Recommendation indicates the need to substantially reduce the risk of stolen customer identities being used for fraudulent purposes to open payment accounts via wire transfer (Recommendation 6.1). The Recommendation is much more detailed than the European guidelines, allowing for much less flexibility in implementation. The recommendations The Recommendation is composed of 14 recommendations, divided into three sections: 1. Principles and organisational measures of process management and risk assessment; 2. Specific measures of control and security in online payments; and 3. Awareness and education of customers and communicating with them. Section 1 Sets out the security policy in banks, credit unions and other institutions, and highlights the issues of risk management or suspicious transactions associated with these stakeholders. PSPs should have a formal security policy and regularly carry out detailed risk assessments in relation to online payment and related services, and if necessary, make relevant changes. The analysis should take into account, inter alia, the technology used, the technical environment and other outsourcing issues. Section 2 PSPs should always use strong customer authentication mechanisms for online payments, and for access to sensitive payment data, except in exceptional cases. Also, the Recommendation states that PSPs should provide customers with safe tools for authorising online transactions, and should adopt a general focus on the safety of the transaction. PSPs should also use appropriate systems to help identify and block fraudulent transactions. Section 3 Educational activities should take place through regular informational events and incidental warnings of threats, as well as ongoing communication with customers via a secure informational channel. The key objectives The Recommendation’s main purpose is to protect customers’ interests when making online payments. The most important recommendations are as follows: Recommendation 6 - Verify the customer’s identity prior to the online payment. Banks should be required to confirm the customer's personal identity when opening a new account via wire transfer. In practice, this will block the opening of bank accounts via wire transfer, which is currently offered by many Polish banks. Recommendation 6.2. - PSPs should inform customers about how to use authentication data safely and how to keep this information secure, and should remind them not share it with any third parties. Recommendation 7 - PSPs should apply strong customer identification, based on the combination of two authentication methods. Recommendation 9 - PSPs should limit the number of log-in or authentication attempts, define rules for internet payment services session ‘time out’, and set time limits for the validity of authentication. Recommendation 12 - PSPs should provide customers with assistance and support for safe online transactions, as well as communicate with them in a way that allows the confirmation of the authenticity of the received messages. Banks and credit unions E-Finance & Payments Law & Policy - December 2015 15 SECURITY In November, the Polish Financial Supervision Authority (‘FSA’) issued a ‘Recommendation on the security of online payment transactions made by banks, national payment institutions, national electronic money institutions and savings and credit union’ (‘Recommendation’). This aims to harmonise the minimum requirements for the security of online payments in connection with the provisions of payment services. Maciej Gawronski and Joanna Galajda of Bird & Bird, assess the objectives of the Recommendation and the potential for conflicts to arise between payment service providers and consumers. The Polish FSA issues new payment security guidelines
E-Finance & Payments Law & Policy - December 201516 version of the Recommendation allows customers to open bank accounts by confirming their identity via wire transfer, but imposes an additional requirement on banks: if the account is opened via wire transfer, the bank cannot allow customers to use the given account to open a new account in another bank using the same procedure. This will require banks to determine whether such a transfer order is made from the account opened via wire transfer. Recommendation 6 aims to protect customers against cyber crime. It states that: ‘PSPs shall ensure the integrity of the application process for a payment account contract and placing an order to make bank transfer to open an account.’ Phishing is a common form of cyber crime used to obtain confidential data needed for log-in and transfer authorisation. Data obtained by phishing is used to open a new account via the transfer identification method. Opening a fake account in this way is simple - thieves publish a fictitious job offer, asking candidates to provide their personal information which is then used to open a new account. They then ask them to transfer a small amount to the fake account, and the identification is authorised by the bank and, as a result, the account is opened. Once the fake account is opened, the thieves can use it to open the next fake account via wire transfer. All these fake accounts can then be used for transferring money from fake online auctions and money laundering, as well as introducing funds derived from illegal sources into the financial system. Conclusion The Recommendation focuses mainly on technical and organisational issues. In our opinion, the Recommendation, to a certain extent, removes payment institutions’ responsibility for actual risk assessments of online transactions. The Recommendation says relatively little about risk management performed by customers, and their responsibility for this risk. Further, we believe that this is the main area where conflicts of interest between PSPs and customers will materialise. In other words, it will be the main area of future disputes. If this Recommendation was directed to banks, the FSA’s approach would have been disappointing. However, there is some method in its madness. The payment institution sector is much larger than the banking sector. The FSA apparently decided that the most urgent requirement was to provide practical solutions and determine the reference point for the sector, more important than providing high level principles, hoping that the fast-growing FinTech market will understand what is really expected. There are certain reservations about the subtlety of the FSA’s actions. However, we cannot underestimate the effectiveness of the FSA’s actions and their practical approach. Maciej Gawronski Partner Joanna Galajda Associate Bird & Bird, Poland Maciej.Gawronski@twobirds.com SECURITY should ensure safe ways of communicating with customers. Customers should be informed that only information received in this way is safe and credible. The Recommendation also emphasises the need to educate customers appropriately about protecting sensitive data. Recommendation 13 - PSPs should set amount limits for internet payment services and provide customers with the possibility to change such limits. Wire transfers Polish banks commonly use wire transfers as an identification tool, i.e. customers can open new accounts via wire transfer simply by transferring funds. Instead of having to visit the bank or financial institution in person, the customer need only provide their personal information in an online form, and confirm these details by wire transfer. This method is practical and saves time, however it increases the risk of identity theft. The Polish Banks Association (‘PBA’) has identified this problem, and in December last year issued a recommendation on how to secure the procedure of identification via wire transfer. Later, the PBA even suggested stopping this practice. The FSA has also noticed the increasing risk related to customer identification through wire transfer and addressed this in the Recommendation. The first draft of the Recommendation prohibited this customer identification method, however this was not included in the final version of the Recommendation. Recommendation 6 in the final The FSA has noticed the increasing risk related to customer identification through wire transfer SIGN UP FOR FREE EMAIL ALERTS E-Finance & Payments Law & Policy provides a free email alert service. We send out updates on exclusive content, forthcoming events and each month on the day of publication we send out the headlines and a precis of all of the articles in the issue. To receive these free email alerts, register on www.e-comlaw.com/efplp or email sara.jafari@e-comlaw.com

Recommended

Types of deposits
Types of depositsTypes of deposits
Types of depositsvini henry
 
E banking
E bankingE banking
E bankingvini henry
 
PPI Classifications
PPI ClassificationsPPI Classifications
PPI ClassificationsHome
 
Mk seminar
Mk seminarMk seminar
Mk seminarHCL Technologies
 
Sms banking
Sms bankingSms banking
Sms bankingΡяιтz ЯΑЅКΑℓ●๋•
 
Prepaid Payment Instrument
Prepaid Payment InstrumentPrepaid Payment Instrument
Prepaid Payment Instrumentnarendrainamdar
 
Account Kit and Internet Banking
Account Kit and Internet BankingAccount Kit and Internet Banking
Account Kit and Internet BankingAman Singh (असर)
 
Mfs competitor update
Mfs competitor updateMfs competitor update
Mfs competitor updateAbdullah Al Qium
 

Recommended

Types of deposits
Types of depositsTypes of deposits
Types of depositsvini henry
 
E banking
E bankingE banking
E bankingvini henry
 
PPI Classifications
PPI ClassificationsPPI Classifications
PPI ClassificationsHome
 
Mk seminar
Mk seminarMk seminar
Mk seminarHCL Technologies
 
Sms banking
Sms bankingSms banking
Sms bankingΡяιтz ЯΑЅКΑℓ●๋•
 
Prepaid Payment Instrument
Prepaid Payment InstrumentPrepaid Payment Instrument
Prepaid Payment Instrumentnarendrainamdar
 
Account Kit and Internet Banking
Account Kit and Internet BankingAccount Kit and Internet Banking
Account Kit and Internet BankingAman Singh (असर)
 
Mfs competitor update
Mfs competitor updateMfs competitor update
Mfs competitor updateAbdullah Al Qium
 
Internet Banking Perception
Internet Banking PerceptionInternet Banking Perception
Internet Banking PerceptionVivek Kumar
 
E banking
E bankingE banking
E bankingmaartinaa
 
Online trading
Online tradingOnline trading
Online tradingAshwitha Pippala
 
Prepaid instruments by rbi
Prepaid instruments by rbiPrepaid instruments by rbi
Prepaid instruments by rbiSooraj Nandan
 
E-Banking System: Opportunities and Challenges – A Study
E-Banking System: Opportunities and Challenges – A StudyE-Banking System: Opportunities and Challenges – A Study
E-Banking System: Opportunities and Challenges – A StudyRHIMRJ Journal
 
E Banking
E BankingE Banking
E BankingArshad85
 
Internet banking PPT PRESENTATION
Internet banking PPT PRESENTATION Internet banking PPT PRESENTATION
Internet banking PPT PRESENTATION jaldumanohar manohar
 
International online payment system in bangladesh
International online payment system in bangladeshInternational online payment system in bangladesh
International online payment system in bangladeshMohammad Saddam Adil
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College ProjectSheril Daniel
 
Payments bank an e commerce enabler
Payments bank an e commerce enablerPayments bank an e commerce enabler
Payments bank an e commerce enablerAshish Jhalani
 
Online banking
Online bankingOnline banking
Online bankingnatesh1207
 
PROJECT-Impact of Internet banking services on customer loyalty
PROJECT-Impact of Internet banking services on customer loyaltyPROJECT-Impact of Internet banking services on customer loyalty
PROJECT-Impact of Internet banking services on customer loyaltyNabarun Paul
 
Internet banking
Internet bankingInternet banking
Internet bankingMahendran S
 
Electronic and mobile banking
Electronic and mobile bankingElectronic and mobile banking
Electronic and mobile bankingBilal Malick
 
Digital banking
Digital banking Digital banking
Digital banking Milena Tsapanidou
 
CUSTOMER SERVICE IN BANKING SECTOR
CUSTOMER SERVICE IN BANKING SECTORCUSTOMER SERVICE IN BANKING SECTOR
CUSTOMER SERVICE IN BANKING SECTORprintona prince
 
Growth of E Banking in India
Growth of E Banking in IndiaGrowth of E Banking in India
Growth of E Banking in Indiaijtsrd
 
Online Trading
Online TradingOnline Trading
Online Tradingkoolzub
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway SystemMannu Khani
 
UK banks
UK banksUK banks
UK banksPrabin Datta
 
A regulator’s view of virtual currencies as the first use-case of blockchain...
A regulator’s view of virtual currencies as the first use-case of blockchain... A regulator’s view of virtual currencies as the first use-case of blockchain...
A regulator’s view of virtual currencies as the first use-case of blockchain...thebitcoinconference
 
Strong Authentication for Payments
Strong Authentication for PaymentsStrong Authentication for Payments
Strong Authentication for PaymentsSrivatsan Srinivasan
 

More Related Content

What's hot

Internet Banking Perception
Internet Banking PerceptionInternet Banking Perception
Internet Banking PerceptionVivek Kumar
 
Prepaid instruments by rbi
Prepaid instruments by rbiPrepaid instruments by rbi
Prepaid instruments by rbiSooraj Nandan
 
E-Banking System: Opportunities and Challenges – A Study
E-Banking System: Opportunities and Challenges – A StudyE-Banking System: Opportunities and Challenges – A Study
E-Banking System: Opportunities and Challenges – A StudyRHIMRJ Journal
 
Internet banking PPT PRESENTATION
Internet banking PPT PRESENTATION Internet banking PPT PRESENTATION
Internet banking PPT PRESENTATION jaldumanohar manohar
 
International online payment system in bangladesh
International online payment system in bangladeshInternational online payment system in bangladesh
International online payment system in bangladeshMohammad Saddam Adil
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College ProjectSheril Daniel
 
Payments bank an e commerce enabler
Payments bank an e commerce enablerPayments bank an e commerce enabler
Payments bank an e commerce enablerAshish Jhalani
 
Online banking
Online bankingOnline banking
Online bankingnatesh1207
 
PROJECT-Impact of Internet banking services on customer loyalty
PROJECT-Impact of Internet banking services on customer loyaltyPROJECT-Impact of Internet banking services on customer loyalty
PROJECT-Impact of Internet banking services on customer loyaltyNabarun Paul
 
Internet banking
Internet bankingInternet banking
Internet bankingMahendran S
 
Electronic and mobile banking
Electronic and mobile bankingElectronic and mobile banking
Electronic and mobile bankingBilal Malick
 
CUSTOMER SERVICE IN BANKING SECTOR
CUSTOMER SERVICE IN BANKING SECTORCUSTOMER SERVICE IN BANKING SECTOR
CUSTOMER SERVICE IN BANKING SECTORprintona prince
 
Growth of E Banking in India
Growth of E Banking in IndiaGrowth of E Banking in India
Growth of E Banking in Indiaijtsrd
 
Online Trading
Online TradingOnline Trading
Online Tradingkoolzub
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway SystemMannu Khani
 

What's hot (19)

Internet Banking Perception
Internet Banking PerceptionInternet Banking Perception
Internet Banking Perception
 
E banking
E bankingE banking
E banking
 
Online trading
Online tradingOnline trading
Online trading
 
Prepaid instruments by rbi
Prepaid instruments by rbiPrepaid instruments by rbi
Prepaid instruments by rbi
 
E-Banking System: Opportunities and Challenges – A Study
E-Banking System: Opportunities and Challenges – A StudyE-Banking System: Opportunities and Challenges – A Study
E-Banking System: Opportunities and Challenges – A Study
 
E Banking
E BankingE Banking
E Banking
 
Internet banking PPT PRESENTATION
Internet banking PPT PRESENTATION Internet banking PPT PRESENTATION
Internet banking PPT PRESENTATION
 
International online payment system in bangladesh
International online payment system in bangladeshInternational online payment system in bangladesh
International online payment system in bangladesh
 
Internet banking - College Project
Internet banking - College ProjectInternet banking - College Project
Internet banking - College Project
 
Payments bank an e commerce enabler
Payments bank an e commerce enablerPayments bank an e commerce enabler
Payments bank an e commerce enabler
 
Online banking
Online bankingOnline banking
Online banking
 
PROJECT-Impact of Internet banking services on customer loyalty
PROJECT-Impact of Internet banking services on customer loyaltyPROJECT-Impact of Internet banking services on customer loyalty
PROJECT-Impact of Internet banking services on customer loyalty
 
Internet banking
Internet bankingInternet banking
Internet banking
 
Electronic and mobile banking
Electronic and mobile bankingElectronic and mobile banking
Electronic and mobile banking
 
Digital banking
Digital banking Digital banking
Digital banking
 
CUSTOMER SERVICE IN BANKING SECTOR
CUSTOMER SERVICE IN BANKING SECTORCUSTOMER SERVICE IN BANKING SECTOR
CUSTOMER SERVICE IN BANKING SECTOR
 
Growth of E Banking in India
Growth of E Banking in IndiaGrowth of E Banking in India
Growth of E Banking in India
 
Online Trading
Online TradingOnline Trading
Online Trading
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway System
 

Similar to PSP Payment Security Guidelines

A regulator’s view of virtual currencies as the first use-case of blockchain...
A regulator’s view of virtual currencies as the first use-case of blockchain... A regulator’s view of virtual currencies as the first use-case of blockchain...
A regulator’s view of virtual currencies as the first use-case of blockchain...thebitcoinconference
 
Strong Authentication for Payments
Strong Authentication for PaymentsStrong Authentication for Payments
Strong Authentication for PaymentsSrivatsan Srinivasan
 
[Ekata] Unlocking the Potential of PSD2 SCA.pdf
[Ekata] Unlocking the Potential of PSD2 SCA.pdf[Ekata] Unlocking the Potential of PSD2 SCA.pdf
[Ekata] Unlocking the Potential of PSD2 SCA.pdfChinmayaShrivastava1
 
Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...
Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...
Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...Arief Gunawan
 
PSD2: The Advent of the New Payments Market in Europe
PSD2: The Advent of the New Payments Market in EuropePSD2: The Advent of the New Payments Market in Europe
PSD2: The Advent of the New Payments Market in EuropeTransUnion
 
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...Smart Payment Association
 
The Future of Open Banking, beyond January 2018
The Future of Open Banking, beyond January 2018 The Future of Open Banking, beyond January 2018
The Future of Open Banking, beyond January 2018 PaymentComponents
 
Prepaid Payment Regulatory Aspects
Prepaid Payment Regulatory AspectsPrepaid Payment Regulatory Aspects
Prepaid Payment Regulatory AspectsRaghavendra L Rao
 
PSD2 Strategic options for banks_Accenture Strategy and Accenture Payment Ser...
PSD2 Strategic options for banks_Accenture Strategy and Accenture Payment Ser...PSD2 Strategic options for banks_Accenture Strategy and Accenture Payment Ser...
PSD2 Strategic options for banks_Accenture Strategy and Accenture Payment Ser...Ilkka Ruotsila
 
The Most Recommended Fintech Solution Providers 2020
The Most Recommended Fintech Solution Providers 2020The Most Recommended Fintech Solution Providers 2020
The Most Recommended Fintech Solution Providers 2020The Business Fame
 
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of FraudstersSecure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of FraudstersCognizant
 
BSL Fintech special / english-french
BSL Fintech special / english-frenchBSL Fintech special / english-french
BSL Fintech special / english-frenchLucile Mathe
 
Зона особого контроля - Наталья Ульянова для Kyiv post
Зона особого контроля - Наталья Ульянова для Kyiv postЗона особого контроля - Наталья Ульянова для Kyiv post
Зона особого контроля - Наталья Ульянова для Kyiv postICF Legal Service
 
Accessing Financial Regulation
Accessing Financial RegulationAccessing Financial Regulation
Accessing Financial RegulationArief Gunawan
 
Accenture-Banking-Opportunities-EU-PSD2-v2
Accenture-Banking-Opportunities-EU-PSD2-v2Accenture-Banking-Opportunities-EU-PSD2-v2
Accenture-Banking-Opportunities-EU-PSD2-v2Petri Syvänne
 
Beyond Payment - E-Commerce Trends and Payment Challenges for Online Merchant...
Beyond Payment - E-Commerce Trends and Payment Challenges for Online Merchant...Beyond Payment - E-Commerce Trends and Payment Challenges for Online Merchant...
Beyond Payment - E-Commerce Trends and Payment Challenges for Online Merchant...Lawrence Cheok
 
A_Complete_Approach_to_KYC_With_Business_Customer_Intelligence (1)
A_Complete_Approach_to_KYC_With_Business_Customer_Intelligence (1)A_Complete_Approach_to_KYC_With_Business_Customer_Intelligence (1)
A_Complete_Approach_to_KYC_With_Business_Customer_Intelligence (1)Dan Frechtling
 
Accenture-Payments-Regulation-Will-Disrupt-EU-Card-Payment-Ecosystem
Accenture-Payments-Regulation-Will-Disrupt-EU-Card-Payment-EcosystemAccenture-Payments-Regulation-Will-Disrupt-EU-Card-Payment-Ecosystem
Accenture-Payments-Regulation-Will-Disrupt-EU-Card-Payment-Ecosystem💡 David Baratta
 

Similar to PSP Payment Security Guidelines (20)

UK banks
UK banksUK banks
UK banks
 
A regulator’s view of virtual currencies as the first use-case of blockchain...
A regulator’s view of virtual currencies as the first use-case of blockchain... A regulator’s view of virtual currencies as the first use-case of blockchain...
A regulator’s view of virtual currencies as the first use-case of blockchain...
 
Strong Authentication for Payments
Strong Authentication for PaymentsStrong Authentication for Payments
Strong Authentication for Payments
 
[Ekata] Unlocking the Potential of PSD2 SCA.pdf
[Ekata] Unlocking the Potential of PSD2 SCA.pdf[Ekata] Unlocking the Potential of PSD2 SCA.pdf
[Ekata] Unlocking the Potential of PSD2 SCA.pdf
 
Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...
Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...
Understanding the Regulatory Evolution of Mobile Commerce and the Opportun...
 
PSD2: The Advent of the New Payments Market in Europe
PSD2: The Advent of the New Payments Market in EuropePSD2: The Advent of the New Payments Market in Europe
PSD2: The Advent of the New Payments Market in Europe
 
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
 
The Future of Open Banking, beyond January 2018
The Future of Open Banking, beyond January 2018 The Future of Open Banking, beyond January 2018
The Future of Open Banking, beyond January 2018
 
Prepaid Payment Regulatory Aspects
Prepaid Payment Regulatory AspectsPrepaid Payment Regulatory Aspects
Prepaid Payment Regulatory Aspects
 
PSD2 Strategic options for banks_Accenture Strategy and Accenture Payment Ser...
PSD2 Strategic options for banks_Accenture Strategy and Accenture Payment Ser...PSD2 Strategic options for banks_Accenture Strategy and Accenture Payment Ser...
PSD2 Strategic options for banks_Accenture Strategy and Accenture Payment Ser...
 
The Most Recommended Fintech Solution Providers 2020
The Most Recommended Fintech Solution Providers 2020The Most Recommended Fintech Solution Providers 2020
The Most Recommended Fintech Solution Providers 2020
 
June newsletter 2017
June newsletter 2017June newsletter 2017
June newsletter 2017
 
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of FraudstersSecure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
Secure Payments: How Card Issuers and Merchants Can Stay Ahead of Fraudsters
 
BSL Fintech special / english-french
BSL Fintech special / english-frenchBSL Fintech special / english-french
BSL Fintech special / english-french
 
Зона особого контроля - Наталья Ульянова для Kyiv post
Зона особого контроля - Наталья Ульянова для Kyiv postЗона особого контроля - Наталья Ульянова для Kyiv post
Зона особого контроля - Наталья Ульянова для Kyiv post
 
Accessing Financial Regulation
Accessing Financial RegulationAccessing Financial Regulation
Accessing Financial Regulation
 
Accenture-Banking-Opportunities-EU-PSD2-v2
Accenture-Banking-Opportunities-EU-PSD2-v2Accenture-Banking-Opportunities-EU-PSD2-v2
Accenture-Banking-Opportunities-EU-PSD2-v2
 
Beyond Payment - E-Commerce Trends and Payment Challenges for Online Merchant...
Beyond Payment - E-Commerce Trends and Payment Challenges for Online Merchant...Beyond Payment - E-Commerce Trends and Payment Challenges for Online Merchant...
Beyond Payment - E-Commerce Trends and Payment Challenges for Online Merchant...
 
A_Complete_Approach_to_KYC_With_Business_Customer_Intelligence (1)
A_Complete_Approach_to_KYC_With_Business_Customer_Intelligence (1)A_Complete_Approach_to_KYC_With_Business_Customer_Intelligence (1)
A_Complete_Approach_to_KYC_With_Business_Customer_Intelligence (1)
 
Accenture-Payments-Regulation-Will-Disrupt-EU-Card-Payment-Ecosystem
Accenture-Payments-Regulation-Will-Disrupt-EU-Card-Payment-EcosystemAccenture-Payments-Regulation-Will-Disrupt-EU-Card-Payment-Ecosystem
Accenture-Payments-Regulation-Will-Disrupt-EU-Card-Payment-Ecosystem
 

PSP Payment Security Guidelines

  • 1. The Recommendation presents the FSA’s expectations towards payment service providers (‘PSPs’) in terms of adequate and safe rules for online payment solutions, as well as adequate control mechanisms in this field. The Recommendations are based on European standards, in particular the ‘Guidelines on the Security of Internet Payments’ issued by the European Forum on the Security of Retail Payments (SecuRe Pay), that have been in force since 1 February 2015, and the ‘Guidelines on the security of internet payments’ (EBA/GL/2014/12), issued by the European Banking Authority (‘EBA’), and in force since 1 August 2015. The Recommendation is in line with the European guidelines, enhancing certain recommendations, which concerns in particular the provisions on secure access to customers’ payment accounts by access devices. At the same time, the Recommendation indicates the need to substantially reduce the risk of stolen customer identities being used for fraudulent purposes to open payment accounts via wire transfer (Recommendation 6.1). The Recommendation is much more detailed than the European guidelines, allowing for much less flexibility in implementation. The recommendations The Recommendation is composed of 14 recommendations, divided into three sections: 1. Principles and organisational measures of process management and risk assessment; 2. Specific measures of control and security in online payments; and 3. Awareness and education of customers and communicating with them. Section 1 Sets out the security policy in banks, credit unions and other institutions, and highlights the issues of risk management or suspicious transactions associated with these stakeholders. PSPs should have a formal security policy and regularly carry out detailed risk assessments in relation to online payment and related services, and if necessary, make relevant changes. The analysis should take into account, inter alia, the technology used, the technical environment and other outsourcing issues. Section 2 PSPs should always use strong customer authentication mechanisms for online payments, and for access to sensitive payment data, except in exceptional cases. Also, the Recommendation states that PSPs should provide customers with safe tools for authorising online transactions, and should adopt a general focus on the safety of the transaction. PSPs should also use appropriate systems to help identify and block fraudulent transactions. Section 3 Educational activities should take place through regular informational events and incidental warnings of threats, as well as ongoing communication with customers via a secure informational channel. The key objectives The Recommendation’s main purpose is to protect customers’ interests when making online payments. The most important recommendations are as follows: Recommendation 6 - Verify the customer’s identity prior to the online payment. Banks should be required to confirm the customer's personal identity when opening a new account via wire transfer. In practice, this will block the opening of bank accounts via wire transfer, which is currently offered by many Polish banks. Recommendation 6.2. - PSPs should inform customers about how to use authentication data safely and how to keep this information secure, and should remind them not share it with any third parties. Recommendation 7 - PSPs should apply strong customer identification, based on the combination of two authentication methods. Recommendation 9 - PSPs should limit the number of log-in or authentication attempts, define rules for internet payment services session ‘time out’, and set time limits for the validity of authentication. Recommendation 12 - PSPs should provide customers with assistance and support for safe online transactions, as well as communicate with them in a way that allows the confirmation of the authenticity of the received messages. Banks and credit unions E-Finance & Payments Law & Policy - December 2015 15 SECURITY In November, the Polish Financial Supervision Authority (‘FSA’) issued a ‘Recommendation on the security of online payment transactions made by banks, national payment institutions, national electronic money institutions and savings and credit union’ (‘Recommendation’). This aims to harmonise the minimum requirements for the security of online payments in connection with the provisions of payment services. Maciej Gawronski and Joanna Galajda of Bird & Bird, assess the objectives of the Recommendation and the potential for conflicts to arise between payment service providers and consumers. The Polish FSA issues new payment security guidelines
  • 2. E-Finance & Payments Law & Policy - December 201516 version of the Recommendation allows customers to open bank accounts by confirming their identity via wire transfer, but imposes an additional requirement on banks: if the account is opened via wire transfer, the bank cannot allow customers to use the given account to open a new account in another bank using the same procedure. This will require banks to determine whether such a transfer order is made from the account opened via wire transfer. Recommendation 6 aims to protect customers against cyber crime. It states that: ‘PSPs shall ensure the integrity of the application process for a payment account contract and placing an order to make bank transfer to open an account.’ Phishing is a common form of cyber crime used to obtain confidential data needed for log-in and transfer authorisation. Data obtained by phishing is used to open a new account via the transfer identification method. Opening a fake account in this way is simple - thieves publish a fictitious job offer, asking candidates to provide their personal information which is then used to open a new account. They then ask them to transfer a small amount to the fake account, and the identification is authorised by the bank and, as a result, the account is opened. Once the fake account is opened, the thieves can use it to open the next fake account via wire transfer. All these fake accounts can then be used for transferring money from fake online auctions and money laundering, as well as introducing funds derived from illegal sources into the financial system. Conclusion The Recommendation focuses mainly on technical and organisational issues. In our opinion, the Recommendation, to a certain extent, removes payment institutions’ responsibility for actual risk assessments of online transactions. The Recommendation says relatively little about risk management performed by customers, and their responsibility for this risk. Further, we believe that this is the main area where conflicts of interest between PSPs and customers will materialise. In other words, it will be the main area of future disputes. If this Recommendation was directed to banks, the FSA’s approach would have been disappointing. However, there is some method in its madness. The payment institution sector is much larger than the banking sector. The FSA apparently decided that the most urgent requirement was to provide practical solutions and determine the reference point for the sector, more important than providing high level principles, hoping that the fast-growing FinTech market will understand what is really expected. There are certain reservations about the subtlety of the FSA’s actions. However, we cannot underestimate the effectiveness of the FSA’s actions and their practical approach. Maciej Gawronski Partner Joanna Galajda Associate Bird & Bird, Poland Maciej.Gawronski@twobirds.com SECURITY should ensure safe ways of communicating with customers. Customers should be informed that only information received in this way is safe and credible. The Recommendation also emphasises the need to educate customers appropriately about protecting sensitive data. Recommendation 13 - PSPs should set amount limits for internet payment services and provide customers with the possibility to change such limits. Wire transfers Polish banks commonly use wire transfers as an identification tool, i.e. customers can open new accounts via wire transfer simply by transferring funds. Instead of having to visit the bank or financial institution in person, the customer need only provide their personal information in an online form, and confirm these details by wire transfer. This method is practical and saves time, however it increases the risk of identity theft. The Polish Banks Association (‘PBA’) has identified this problem, and in December last year issued a recommendation on how to secure the procedure of identification via wire transfer. Later, the PBA even suggested stopping this practice. The FSA has also noticed the increasing risk related to customer identification through wire transfer and addressed this in the Recommendation. The first draft of the Recommendation prohibited this customer identification method, however this was not included in the final version of the Recommendation. Recommendation 6 in the final The FSA has noticed the increasing risk related to customer identification through wire transfer SIGN UP FOR FREE EMAIL ALERTS E-Finance & Payments Law & Policy provides a free email alert service. We send out updates on exclusive content, forthcoming events and each month on the day of publication we send out the headlines and a precis of all of the articles in the issue. To receive these free email alerts, register on www.e-comlaw.com/efplp or email sara.jafari@e-comlaw.com