With the EU’s landmark PSD2 legislation set to apply from next January, payments service providers (PSPs) will be legally required to provide their end users with a better-integrated market for electronic payments.
As such, the European Banking Authority (EBA) has launched a consultation on the logistics of forming a new, EU-wide security regime that will underpin PSPs’ working practices.
To set the ball rolling, the regulator has unveiled a set of guidelines that it recommends PSPs should follow, in order to “mitigate operational and security risks” arising from the provision of payment services.
Those guidelines, its consultation adds, cover three areas:
In addition, the guidelines cover the monitoring, detection and reporting of security incidents; business continuity management; scenario-based continuity plans, including their testing; incident management and crisis communication; the testing of security measures; and the management of relationships with payment service users.
As well as drawing up the guidelines, the EBA has conducted an initial assessment of threats and vulnerabilities that could affect PSPs as the legislation takes hold.
Key factors that the EBA identified include:
The EBA also points out that the threat landscape is constantly evolving, which will require PSPs to be ever more agile in the ways they prepare for, and respond to, security incidents.
As such, it proposes that they should adopt a system of “situational awareness and continuous learning”, to ensure they are:
The EBA has scheduled a public hearing on the guidelines for 20 June at Canary Wharf, London.
Meanwhile, PSP stakeholders and users are invited to respond to the consultation by 7 August.
Find the consultation paper, including the guidelines, here.