In March 2014, the FCA, the prudential supervisor for UK-based payment institutions and e-money providers, outlined that it would not be strictly assessing the compliance with the SecuRePay Recommendations on the security of Internet Payments.
According to an FCA statement, [the authority has]‘decided to await the publication of guidance from the European Banking Authority on measures for the security of internet payments and will begin to assess firms’ implementation of these security measures when the updated Payment Services Directive requirements take effect.’
The updated Payment Service Directive will take effect from mid-2016 at the earliest. It will assign the European Banking Authority with the task of further developing guidance for the security of retail payments. The FCA has chosen to wait for this guidance rather than pre-empt it.
Securepay recommendation on the security of internet payments
The recommendations for the security of internet payments were developed by the European Forum on the Security of Retail Payments, SecuRePay. In February 2014, the forum also published an assessment guide that will help payment service providers to implement these recommendations by February 2015.
The IT security subcommittee of the EMA will further work on an implementation guide for the SecurePay recommendations. It will:
1. assess the impact of the transposition of the recommendations onto the PSP1 regulatory frameworks of the EU/EEA national financial service regulators for EMA members;
2. provide high-level implementation guidance to members to allow them to action effective changes to internal systems and processes to satisfy the recommendations;
3. identify specific operational controls that EMA members can employ to satisfy the recommendations,
4. identify alternative approaches/controls that members can use to satisfy the four guiding principles in the recommendations that offer commensurate levels of protection to sensitive payment data.