SecuRe Pay releases final recommendations on the security of internet payments

Today, the ECB released a comprehensive set of Recommendations for the security of internet payments, following a two-month public consultation carried out in 2012. The Recommendations represent the first achievement of the European Forum on the Security of Retail Payments (SecuRe Pay), a voluntary cooperative initiative between relevant authorities from the European Economic Area (EEA) – supervisors of payment service providers and overseers in particular.

The main recommendations include:

  • to protect the initiation of internet payments, as well as access to sensitive payment data, by strong customer authentication;
  • limit the number of log-in or authentication attempts, define rules for internet payment services session “time out” and set time limits for the validity of authentication;
  • establish transaction monitoring mechanisms designed to prevent, detect and block fraudulent payment transactions;
  • implement multiple layers of security defences in order to mitigate identified risks;
  • provide assistance and guidance to customers about best online security practices, set up alerts and provide tools to help customers monitor transactions.

Implementation
The detailed recommendations will be integrated into existing oversight frameworks for payment schemes and supervisory frameworks for PSPs and are to be considered as common minimum requirements for internet payment services. The members of the Forum are committed to supporting the implementation of the recommendations in their respective jurisdictions and will strive to ensure effective and consistent implementation within the EEA.

The recommendations should be implemented by PSPs and governance authorities of payment schemes by 1 February 2015. National authorities may wish to define a shorter transition period where appropriate.