EBA seeks input on security regime to back up PSD2

As PSD2’s enforcement across Europe approaches, regulator consults on security regime that will support the package of measures

With the EU’s landmark PSD2 legislation set to apply from next January, payments service providers (PSPs) will be legally required to provide their end users with a better-integrated market for electronic payments.

As such, the European Banking Authority (EBA) has launched a consultation on the logistics of forming a new, EU-wide security regime that will underpin PSPs’ working practices.

To set the ball rolling, the regulator has unveiled a set of guidelines that it recommends PSPs should follow, in order to “mitigate operational and security risks” arising from the provision of payment services.

Those guidelines, its consultation adds, cover three areas:

  1. governance – including operational and security risk management and control models and rules around outsourcing;
  2. risk assessment – including the identification, classification and risk assessment of functions, processes and assets; and
  3. data protection – together with the integrity of systems, confidentiality, physical security and asset control.

In addition, the guidelines cover the monitoring, detection and reporting of security incidents; business continuity management; scenario-based continuity plans, including their testing; incident management and crisis communication; the testing of security measures; and the management of relationships with payment service users.

As well as drawing up the guidelines, the EBA has conducted an initial assessment of threats and vulnerabilities that could affect PSPs as the legislation takes hold.

Key factors that the EBA identified include:

  • inadequate protection of communication channels used for payments;
  • inadequately secured systems and devices, such as applications, servers and users’ payment devices;
  • unsafe behaviour of PSPs’ or their users’ staff;
  • the growing complexity of the payments environment; and
  • technological advancements and tools that are available to potential fraudsters or malicious attackers.

The EBA also points out that the threat landscape is constantly evolving, which will require PSPs to be ever more agile in the ways they prepare for, and respond to, security incidents.

As such, it proposes that they should adopt a system of “situational awareness and continuous learning”, to ensure they are:

  1. continually monitoring internal and external developments; and
  2. internalising the relevant lessons in order to adapt their business models and mitigate emerging risks.

The EBA has scheduled a public hearing on the guidelines for 20 June at Canary Wharf, London.

Meanwhile, PSP stakeholders and users are invited to respond to the consultation by 7 August.

Find the consultation paper, including the guidelines, here.

Scroll to top