GO

In your view, which of the following initiatives will have the greatest impact on the European payments market?

European Commission proposal for revised Payment Services Directive (PSD2)
European Commission proposal for new Regulation on interchange fees for card-based payment transactions
Work programme of Euro Retail Payments Board, chaired by European Central Bank
SecuRe Pay Forum recommendations for security of internet payments; for payment account access services; for security of mobile payments
Guidelines and technical standards issued by European Banking Authority pursuant to mandate provided by proposed PSD2 (Articles 86, 87)
or show results

 

EPC Newsletter
Issue 7 - July 2010

SEPA Standards

New and ImprovedEPC publishes updated guidelines on the use of audit trails in security systems

19.07.10 BY Björn Flismark

INTRODUCTION AND SUMMARY

In June 2010, the EPC approved an updated version of the document "The Use of Audit Trails in Security Systems: Guidelines for European Banks" (a link is included at the end of this article). These guidelines support payment service providers (PSPs) in complying with requirements established to ensure information security, i.e. protecting the confidentiality, integrity and availability of data underlying a payment transaction. Specifically, the revised guidelines now include recommendations regarding the maintenance of so-called audit trails (or audit logs) of payment systems. Audit trails form part of any information security management system: they feature a chronological sequence of audit records where each record pertains to the execution of a specific business process or system function. Audit records typically result from activities such as transactions or communications triggered by individual people, systems, accounts or other entities. Such records - as documented in the audit trail - are ultimately relied upon to validate whether the system controls designed to ensure information security are adequate. Björn Flismark details the guidelines approved by the EPC on the use of audit trails in security systems.

***
Readers are invited to share their thoughts on topics discussed in the EPC Newsletter.
Scroll to the end of the page and post a comment. Go to comments.

Extended scope of the guidelines on the use of audit trails now also cover payment processes

The guidelines for the use of audit trails in security systems were first created in 20011 to provide good practice recommendations on how computer and system audit trails should be captured, stored and used to support the management and operation of security in banking computer systems. The previous edition of these guidelines, however, did not consider audit trails of payment systems. The scope of the updated edition now approved by the EPC was extended to include payments-related data taking into consideration the implementation of harmonised SEPA Payment Schemes.

The secure capture and storage of the audit trails of payment records, along with the relevant security audits, may, amongst others, serve as evidence in any related dispute resolution process. Such dispute resolution could take place between PSPs or between PSPs and their customers. The revised document is the basis from which specific guidance might be developed over time applicable to SEPA Payment Schemes and PSPs participating in these Schemes.

The updated guidelines also take into account that internationally agreed security requirements are placing ever-greater emphasis on the need to capture transactional audit trails. The guidelines focus on IT Security and audit trails for security-related purposes as well as on the audit trails of business processes of banks, namely the processing of payments. The changes compared to the previous edition include updates of the bibliography and an extensive review of the principles (or recommendations, as they were called in the previous version) with a view to improve clarity and to ensure that these principles are aligned with present requirements regarding information security. Last but not least, the document could serve as reference in service level agreements when outsourcing certain processing activities to third parties.

The EPC guidelines on the use of audit trails are fit for purpose and applicable to any business unit

PSPs must regularly conduct audits to validate whether appropriate controls ensuring information security are in place. Such security audits consist of an independent review and examination of a system's records and activities to determine the adequacy of system controls and to ensure compliance with established security policy and procedures. The validation of system controls will usually rely on a so-called audit trail; e.g. a chronological record of system activities which allows reconstructing and examining the environment and processes impacting a security-relevant transaction. Such activities are documented in an audit log featuring a chronological sequence of audit records. An audit record is a single entry that describes one single auditable event. The systematic review of business processes or system functions as reflected in the audit log thus allows detection of possible breaches in security policies and - in the event that such breaches are identified - to develop recommendations on how to improve system controls.

The updated guidelines approved by the EPC offer practical, easy-to-use principles allowing PSPs to implement a secure audit trails strategy. These principles are applicable to any part of an organisation such as a business unit, corporate headquarter or data centres.

The document specifies audit principles in the following areas:

  • Audit system design including events to be recorded, format and fields of records, audit tools
  • Management of audit logs including ownership, access and classification of audit data, generation, storage and back-up of audit trails
  • Retention periods
  • Application and use of audit logs (e.g., internal investigations, presentation to court)

The EPC guidelines on the use of audit trails in security systems are available for download on the EPC web site (see link below).

Björn Flismark served as the Chair of the EPC Information Security Support Group (ISSG) until June 2010. He has been succeeded as Chair of the ISSG by Ruth Wandhöfer.

Related link:

EPC document "The Use of Audit Trails in Security Systems: Guidelines for European Banks"

 

1The document was first published by the ECBS (European Committee for Banking Standards); the EPC has taken over the ECBS tasks and maintains a portfolio of documents originally created by the ECBS.

Article125




Comments

If you would like to comment on this article, please identify yourself with your first and last name. Please note that your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC Newsletter Terms and Conditions, so please read them carefully before doing so.

Blog Posts

Read us on EPC Blog

28.08.14
Learn More About Work Items Related to SEPA Credit Transfer and SEPA Direct Debit to be Addressed by the New Euro Retail Payments Board (ERPB) Chaired by the European Central Bank

Tweets

Follow us on Twitter

If you missed it: EPC overview #mobile #payments initiatives covers, inter alia, #mobilewallets & m-POS developments http://t.co/vvDzHeCquo
02/09/2014
Tweets

Join us on LinkedIn


Leave this field empty

Mail this article to a friend

Enter the below data in order to send a link to this page.

Your name:
Your email:
Name of your friend:
Email of your friend:
Your comment:
Close
Leave this field empty

Send feedback

Enter the below data in order to give feedback on this page.

Your name:
Your email:
Your comment:
Close