5 minute read
assessment as part of the oversight of payment instruments
4.2 Transposition of recommendations for the security of Internet payments and compliance assessment as part of the oversight of payment instruments
The purpose of payment instruments oversight is to manage the risks of modern and novel technical solutions applied in payments and payment systems, and to maintain the trust in payment methods.
Although payment instruments oversight has not yet emerged as a separate activity in Hungary, some of its elements have already been incorporated into the oversight of payment systems, legislation concerning the execution of payments, and payment inspections. In order to ensure that the use of innovative technical solutions in payments does not pose any risk to the efficient and secure operations of payment services and payment and settlement systems, oversight must be adjusted to such solutions. In the oversight of payment instruments, the MNB plans to use a standardised framework to assess the execution rules of payment methods and the infrastructure used for the submission and execution of transactions, including the IT tools and communication channels used. Once payment instruments oversight is integrated into the domestic oversight framework, payment inspections and oversight will cover the entire execution process of payments, including access to payment methods, the methods and channels of the submission of orders, as well as clearing and settlement.
Due to the rapid development of the payment solutions available on the internet, it is essential that the relevant security requirements are established, regulated and controlled as part of payment
instruments oversight. To that end, the SecuRe Pay forum54 on the security of retail payments established in 2011 at the initiative of the European Central Bank has established recommendations for the security of Internet payments and criteria for the assessment of compliance with the recommendations. As a result of the efforts of the forum, the ECB and the European Banking Authority (EBA) cooperated to develop specific control and security measures for Internet payments, as well as standard recommendations and guidelines on customer information and communication with customers (Box 6).55 The recommendations and guidelines are based on the provisions of the Payment Services Directive on information requirements and obligations relating to the provision of payment services. The guidelines cover credit transfers and card payment transactions on the Internet, the issuance and amendment of direct debit electronic mandates on the Internet, as well as transfers of electronic money between e-money accounts via the Internet. As a central theme of the guidelines, strong customer authentication will also be regulated by PSD2, which is currently being developed.
As of 1 August 2015, domestic payment methods and payment service providers operating in Member States are required to meet the new guidelines. As a competent authority, in early May the MNB was required to submit a report to the EBA on whether it intends to comply with the guidelines. In fulfilment of its reporting obligation, the MNB indicated its intention to comply with the guidelines. In order to prepare the implementation of the guidelines, it carried out a survey on the current level of compliance in the sector. For the purpose of the survey, the MNB sent self-assessment questionnaires to all stakeholders concerned, requesting their statements on whether they complied with the
54 European Forum on the Security of Retail Payments. 55 Recommendations for the security of Internet payments: https://www.ecb.europa.eu/pub/pdf/other/recommendationssecurityinternetpaymentsoutcomeofpcfinalversionafterpc201301en.pdf
Assessment guide for the security of internet payments: http://www.ecb.europa.eu/pub/pdf/other/assessmentguidesecurityinternetpayments201402en.pdf
Final guidelines on the security of internet payments: http://www.eba.europa.eu/documents/10180/934179/EBA-GL-2014-12+%28Guidelines+on+the+security+of+internet+payments%29.pdf
recommendations, and if not, when they were planning to become fully compliant. The current guidelines established as part of the cooperation between the ECB and the EBA are valid for a temporary period up to the effective date of PSD2, which is currently being developed; however, the guidelines are expected to be amended by the end of next year. To benefit from that, some countries such as the UK wish to ensure compliance with the guidelines but are planning to do so as of the effective date of PSD2. Additionally, at an international level recommendations and an evaluation system for the security of mobile payments are also being developed, which Member States are expected to implement in 2017.
Box 6 Recommendations and guidelines on the security of Internet payments
The main purpose of the minimum requirements for the security of Internet payments is to prevent fraud and
abuse related to such payments. The guidelines set out minimum requirements for the general control and security environment, the specific control and security measures on Internet payment transactions, customer information, as well as communication with customers. Apart from the fourteen minimum requirements, the guidelines include a number of best practices, which payment service providers and the market participants concerned are recommended but not required to follow. The minimum requirements are divided into chapters in the categories of regulation, risk management, incident management, customer identification and authentication, security settings and protection, customer awareness, communication and customer access.
One of the most important and most controversial elements of the minimum requirements is strong customer authentication, which should be designed in such a way as to protect the confidentiality of the authentication data.
Consequently, strong customer authentication needs to rely on the use of at least two of the following elements:
I. knowledge: something only the user knows, e.g. static password, code, personal identification number; II. ownership: something only the user possesses, e.g. token, smart card, mobile phone; III. inherence: something the user is, e.g. biometric characteristic, such as a fingerprint.
In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the Internet. In practice, strong customer authentication is typically based on a user name and a static password specified by the customer, complemented by a one-time password that may be delivered to the customer via a variety of channels such as being sent in a text message to their mobile phone or generated themselves using a token provided by their bank.
