ECB consultation on security requirements for payment account access services (deadline: April 12, 2013)

Yesterday, the European Central Bank released a draft version of the Recommendations for payment account access services for public consultation. These recommendations were developed by the European Forum on the Security of Retail Payments, SecuRe Pay (the “Forum”). In the Forum all the EU supervisors work together with the aim to foster the establishment of a harmonised EU/EEA-wide minimum level of security.

The draft report lists a number of Recommendations which seek to ensure that the Third Party Providers of Payment Account Access Services and the involved Governance Authorities (scheme owners) meet the following requirements:

  • TPs should have security and control measures in place ensuring a level of security similar to that required by the internet recommendations. The security of the payment account should not be undermined by the performance of payment account access services.
  • Increased transparency for account owners enabling them to assess risks and make an informed choice before and during the use of payment account access services.
  • Traceability through proper authentication in all communications between the entities involved (i.e. the TP, the account servicing PSP, the e-merchant and the account owner).
  • Improved exchange of information in the event of repudiation, security incidents and/or fraud.
  • The duration of payment account access and the quantity of data elements obtained, processed, exchanged and stored should be minimised thus reducing the risk of misuse of those data elements.
  • TPs entering into contractual agreements with e-merchants should ensure that the e-merchants comply with the necessary security requirements.

The consultation period for these requirements ends April 12, 2013 after which the ECB will draft a final version that is expected to be released at the end of 2013.