ECB publishes recommendations for security of internet payments

Yesterday, the European Central Bank published its recommendations for the security of Internet payments. These recommendations were developed by the European Forum on the Security of Retail Payments, SecuRe Pay. This Forum of regulators and supervisors was set up in 2011 as a voluntary cooperative initiative between authorities.

The report is the result of a consultation with the market. It outlines security recommendations and best practices such as the principle of strong authentication. Strong customer authentication is a procedure based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence:

  • something only the user knows, e.g. static password, code, personal identification number;
  • something only the user possesses, e.g. token, smart card, mobile phone;
  • something the user is, e.g. biometric characteristic, such as a fingerprint.

The report detailed the further requirements to this procedure, but also made it clear that the scope of the recommendations excluded payments via mobile phone, SMS and virtual prepaid cards.

As such, the report outlines the requirements that local regulators will use when assessing the security of Internet payments for the institutions that they supervise. The supervisors and institutions in the SecuRe Pay Forum have all outlined to support the implementation of the requirements in their respective jurisdiction and outlined that they will cooperate with each other to ensure effective and consistent implementation across jurisdictions.

The time line by which these recommendations should be implemented by Payment Service Providers and Governance Authorities of payment schemes is February 1, 2015.