Guidelines on the Security of Internet Payments Released by the Europe...

Guidelines on the Security of Internet Payments Released by the European Banking Authority: a Two-Step Approach

EPC response to the consultation on guidelines on the security of internet payments launched by the European Banking Authority

24 July 15

Share This

The objectives of the European Banking Authority

According to the European Banking Authority’s ( ) website, it is an independent European Union ( ) authority “which works to ensure effective and consistent prudential regulation and supervision across the European banking sector1”. Its objectives include; “maintaining financial stability in the and to safeguard the integrity, efficiency and orderly functioning of the banking sector2”. When it was established in January 2011, it took over all existing responsibilities of the Committee of European Banking Supervisors. The is tasked with contributing to the creation of a European Single Rulebook in banking, i.e. to provide a set of harmonised rules for financial institutions throughout the .

The issues various technical standards, guidelines and recommendations with the aim to create this European Single Rulebook and promote convergence of supervisory practices and assess risks and vulnerabilities. As of October 2012, the has issued approximately 90 of these.

It has also been tasked with policy development on consumer protection and financial innovation which, at various stages of the process, involves numerous key stakeholders including consumer associations, the Banking Stakeholder Group3, institutions and firms, and trade associations.

A new role for the in payments

The European Commission has the right of initiative to propose laws for adoption by the co-legislators. These are the European Parliament and the Council of the . The Council of the is the institution where the Member States’ government representatives sit, i.e. the ministers of each Member State with responsibility for a given policy area.

The Commission tabled in July 2013 its proposal for a revised Payment Services Directive ( ). (The formal title of the proposed is “Proposal for a Directive of the European Parliament and of the Council [of the ] on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/ and 2009/110/EC and repealing Directive 2007/64/EC.”). The proposed remains under review by the European Parliament and the Council of the representing governments.

could result in a number of additional roles for the . These include:

  • Transparency role as register for regulated and exempted entities.
  • Improving coordination of home/host supervision.
  • Defining security requirements for electronic payments.
  • Improving incident reporting throughout the .

The role of the in the European Forum for the Security of Retail Payments (SecuRe Pay)

The European Forum on the Security of Retail Payments (SecuRe Pay) was established in 2011 as a voluntary cooperative initiative between relevant authorities from the European Economic Area; supervisors of payment service providers ( ) (i.e. the and its members) and overseers (i.e. the European System of Central Banks4). It was formed with the objective of facilitating common knowledge and understanding of issues related to the security of electronic retail payment services and instruments and, where necessary, issuing recommendations. SecuRe Pay has published a number of these recommendations since its inception, including, in January 2013, the final recommendations and in February 2014 the assessment guide for the security of internet payments.

Reinforced cooperation between the and the European Central Bank through SecuRe Pay

The role of the has also altered in relation to the security of retail payments following the announcement on 20 October 2014 that the and the European Central Bank (ECB) will step up their cooperation to make retail payments safer. The technical work of SecuRe Pay will be the common basis for the Eurosystem (comprising of the ECB plus the national central banks of the euro area) standards for the oversight of payment systems and retail payment instruments, and for the ’s regulatory and supervisory requirements for payment services across the entire .

The consults on implementation guidelines on internet payments

The first output of the reinforced cooperation between the and the ECB was a consultation paper on the implementation of its guidelines on the security of internet payments issued on 20 October 2014. These draft guidelines were based on the recommendations issued by SecuRe Pay for the security of internet payments in January 2013. The consultation ran until 14 November 2014.

When the ECB released the final SecuRe Pay recommendations they had foreseen an implementation date of 1 February 2015. However, during a progress analysis in the summer of 2014, SecuRe Pay agreed that a “more solid legal basis” was needed to “ensure consistent implementation by financial institutions across all Member States, as well as to reassure financial institutions that required investments and system changes are being followed up by a consistent regulatory framework”. The , therefore, agreed to issue these guidelines based on the SecuRe Pay recommendations. These will enter into force in August 2015, giving stakeholders a six month extension from the original recommendations. The is focusing specifically on the implementation of these guidelines rather than on the substance of the requirements as the ongoing negotiations of the revised may affect them. The issued these guidelines to ensure consistent regulation across the and to provide legal certainty for market participants. The guidelines cover the general control and security environment, specific control and security measures for internet payments, and customer awareness, education and communication.

The consultation on these guidelines asked the question: “Do you prefer for the guidelines to:

a)     Enter into force, as consulted, on 1 August 2015 with the substance set out in this consultation paper, which means they would apply during a transitional period until stronger requirements enter into force at a later date under .

b)     Anticipate these stronger requirements and include them in the final guidelines under PSD1 that enter into force on 1 August 2015, the substance of which would then continue to apply under .”

The received 45 responses (including one from the ’s Banking Stakeholder Group), of which 39 were published on the ’s Website. For details, refer to the ‘related links’ underneath this article.

The European Payments Council response to the consultation

In response to the consultation, the European Payments Council ( ) recommended a third option. This recommendation is a scenario whereby the guidelines would be issued only after entry into force of (according to Article 103 of the draft ) and publication of the regulatory technical standards as may be mandated by , following a consultation of the market and safeguarding an adequate timeframe for implementation. This is what the called option c).

Option c) is based on various arguments:

  • The legal enforceability of options a) and b) is uncertain. Indeed, according to Article 16 of Regulation 1093/20105, the shall, in order to ensure common, uniform and consistent application of law, issue guidelines and recommendations. Article 1.2 of the same Regulation lists the legal texts (e.g. PSD) forming the scope within which shall exercise its powers. The , in its consultation paper, refers to the current PSD as a legal basis while seeking to “ensure common, uniform and consistent application of Union law”. However, the consultation paper is about implementation of draft guidelines on the security of internet payments - prior to the transposition of . An essential element for the guidelines is the reliance on the concept of strong customer authentication. It is important to note that this concept does not yet exist under the current PSD and will only be incorporated into “Union law” once (new Article 87 ) enters into force. Based on current law, are not yet (legally) required to apply ‘strong customer authentication’. As a result, the guidelines – as currently drafted - would appear unenforceable until enters into force.
  • Option a) - the two step approach - creates a risk of implementations in the first step not being compliant with future guidelines related to the second step, imposing unnecessary rework costs on and other technical providers, and causing confusion/inconvenience for merchants and consumers.
  • Option b) does not provide a guarantee of a one-step approach, because the stronger requirements are, at this time, still under discussion and may change before the publication date which is likely to be too close to 1 August 2015. The therefore believes that there are no stable conditions for setting requirements for stronger security standards which will ultimately exist under .
  • At present, are working to develop and implement technical structures as requested by SecuRe Pay recommendations by the February 2015 deadline, and it would, at this late stage, under option b), be impossible for them to change the scope of their projects (and related budgets) already planned in accordance with the SecuRe Pay recommendations.
  • A lead time - well beyond 1 August 2015 (as cited in option b) – would be required to implement any solution other than those already set out in the SecuRe Pay recommendations.
  • The security guidelines would also not be enforced under either option a) or option b) on all categories of as payment initiation services providers will only be regulated under at a later stage.

In its response the had added that if the were to not accept the recommended ‘option c’, it would have a preference for option a) (i.e. the two-step approach) subject to the guidelines remaining based on the SecuRe Pay recommendations published in 2013 which was the basis for the ongoing implementation efforts.

In addition to providing a response to the consultation question, the also included suggestions to possibly further enhance the guidelines.

In its response, the also pointed out that in the last two decades many security solutions were implemented, only to have been rendered obsolete as technology evolves and been replaced by safer solutions. Therefore, stakeholders are permanently in search of solutions that master the subtle balance between security and user convenience. In the last five years, new threats have appeared, authentication solutions have evolved, and the preferred platform for internet payments has changed from PCs to mobile devices. This field of expertise is highly dynamic. As an example, since the issuance of the Secure Pay recommendations, tokenisation has been picked up as one of the prevalent security solutions in any future e-payments system but, understandably, at the time of publication, the recommendations did not take tokenisation into much consideration. Another very promising area of evolution in digital security is risk based authentication, and innovation in this area could be seriously hindered by the current requirements. The therefore suggested that these new developments would be taken into account when finalising the guidelines.

Finalised guidelines on the security of internet payments

The published the finalised guidelines on 19 December 2014. The guidelines set the minimum security requirements that in the will be expected to implement by 1 August 2015. The has retained the two-step approach whereby the guidelines will need to be implemented as consulted on 1 August 2015, with potentially more stringent requirements necessary under the being implemented at a later stage. The has, therefore, concluded that a delay in implementation of the guidelines until the transposition of the in 2017/2018 would not be feasible in view of the continuously growing and high levels of fraud in the domain of internet payments. More details on the finalised guidelines can be found in the related links below.

The furthermore clarified that it encourages supervisory and oversight authorities to continue using the assessment guide for the security of internet payments which was published by SecuRe Pay in February 2014 as a non-prescriptive tool to help them assess firms’ compliance with the SecuRe Pay recommendations. It also stated that the SecuRe Pay recommendations continue to represent the document against which central banks in their oversight function for payment systems and instruments should assess compliance with regard to the security of internet payments.

The recognises the importance and urgency of addressing internet payment fraud and hence supports the objectives pursued by the in this area. At the same time the wishes to stress that regulation should strive to achieve legal certainty, balance, technology neutrality and a level playing field amongst all players.  

Etienne Goosse is the Secretary General.


Related links:

European Central Bank (January 2013): Recommendations for the Security of Internet Payments – Final Version After Public Consultation (developed by the European Forum on the Security of Retail Payments) 

European Central Bank (February 2014): Assessment Guide for the Security of Internet Payments 

European Banking Authority Website: About us 

Mandate of the European Forum on the Security of Retail Payments (SecuRe Pay) (October 2014) 

European Central Bank press release (20 October 2014): ‘ECB and EBA [European Banking Authority] step up cooperation to make retail payments safer’

European Banking Authority press release (20 October 2014): ‘EBA consults on implementation of Guidelines on internet payments security’ 

European Banking Authority Website: Responses to EBA consultation on guidelines on internet payments security 

European Banking Authority press release (19 December 2014): ‘EBA issues Guidelines to strengthen requirements for the security of internet payments across the EU’ (includes link to final guidelines) 

EPC Blog (12 January 2015): European Union Regulatory Initiatives Impacting the Security of Euro Payments: the 2015 Outlook 


Related articles in this issue:

The Future of Payments: European Commission Invited Exchange of Views at its Conference on Emerging Challenges in Retail Finance and Consumer Policy. Participants discussed latest developments, and ones to come, in terms of consumers´ safety, accessibility and convenience

EU Payments Legislative Package: Strong Concerns of European Banks. The focus on innovation and competition issues should not be to the detriment of consumer protection


Related articles in previous issues:

Tensions in Cyberspace: Competing Priorities and Legislative Initiatives in the Online Payments World. Will the EU legal framework aimed at ensuring secure online payments amount to a series of harmonious provisions, or result in an uneasy compromise? ( Newsletter, Issue 24, October 2014) 

PSD2: EPC Calls on EU Lawmakers to Maintain the Firewall Protecting Consumers Making Internet Payments. This Means: No Sharing of Any Personalised Security Credentials with Third Parties. Update on legislative process leading to the adoption of the revised Payment Services Directive ( Newsletter, Issue 23, July 2014) 

SEPA 2.0: an Overview of Regulatory Action Now in the Pipeline Impacting the European Payments Market Going Forward. The European authorities have clarified that migration to harmonised SEPA payment schemes and technical standards does not conclude this EU integration project ( Newsletter, Issue 23, July 2014) 

Newsletter: Articles published in the section ‘Legal and Regulatory Issues’


2 Ibid.

3 The 's Banking Stakeholder Group is composed of 30 members appointed to represent in balanced proportions credit and investment institutions operating in the Union, their employees' representatives as well as consumers, users of financial services, academics and representatives of SMEs. The Group's role is to help facilitate consultation with stakeholders in areas relevant to the tasks of the .

4 The European System of Central Banks (ESCB) comprises the European Central Bank and the national central banks of all 28 Member States.

5 Regulation ( ) No 1093/2010 of the European Parliament and of the Council of 24 November 2010 establishing a European Supervisory Authority (European Banking Authority), amending Decision No 716/2009/EC and repealing Commission Decision 2009/78/EC

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.