This is the first time that EU payments legislation has sought to detail IT security requirements. They have generally been part of prudential obligations to maintain good internal controls.
The provisions can be divided into four areas: (i) strong customer authentication, meaning two factor – with a number of exemptions, which are required for most remote interactions including account access, (ii) dynamic linking of the authorisation of each remote transaction with the amount and the payee, (iii) a requirement for PSPs to establish a security risk management and mitigation framework, and to report to the competent authority periodically on such risks and mitigation strategies, and (iv) a requirement to notify competent authorities of major operational or security incidents with an information sharing process that involves the EBA, ECB and host member state competent authorities.
Whilst risk management and incident notification may be part of existing practice, new EBA guidelines are expected to elaborate on these obligations. Strong customer authentication in turn builds on current EBA guidelines on the security of Internet payment, and these would be updated to reflect amended and additional requirements.
The EMA conference next week will bring the EBA, member state regulators, and industry security practitioners together to discuss the impact on different parts of the payments sector.
The article ” PSD2-IT Security Provisions” was written by Dr Thaer Sabri, EMA CEO