the security of retail payments

Similar documents
SecuRe Pay Forum. Recommendations for the security of internet payments. Comments of German Banking Industry Committee (GBIC) General Comments

Challenges for European retail payments after SEPA migration

GUIDE FOR THE ASSESSMENT OF CREDIT TRANSFER SCHEMES AGAINST THE OVERSIGHT STANDARDS

The EBA and its mandate on strong customer authentication & secure communication under Article 98 PSD2

TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES"

TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES"

OPINION OF THE EUROPEAN CENTRAL BANK

TEMPLATE: COMMENTS ON THE DRAFT "RECOMMENDATIONS FOR PAYMENT ACCOUNT ACCESS SERVICES"

Bird & Bird on the most important consequences of PSD2

oversight framework for credit transfer Schemes october 2010

Opinion of the European Banking Authority on the transition from PSD1 to PSD2

Payments Services: Regulatory Timeline. February 2017

Consultation Paper. on Draft Guidelines on fraud reporting requirements under Article 96(6) of Directive (EU) 2015/2366 (PSD2) EBA/CP/2017/13

NATIONAL PAYMENT AND SETTLEMENT SYSTEMS DIVISION

CENTRAL BANK OF MALTA DIRECTIVE NO 1. in terms of the. CENTRAL BANK OF MALTA ACT (Cap. 204 of the Laws of Malta)

Strong Customer Authentication and PSD2

EU Policy Priorities for Retail Payments

EPCA PAYMENT SUMMIT Arno Voerman (Van Doorne N.V.) Edwin Jacobs (Time.Lex)

Weizmann Impex Service Enterprise Ltd.

HSBCnet. Product Disclosure Statement. Effective 1 December 2016

EU LEGISLATION (PAYMENT SERVICES SEPA) (AMENDMENT) (JERSEY) REGULATIONS 2017

The Changing EU Regulatory Framework for Retail Payments

PSD2 and other European legal developments

EBA GL on fraud reporting requirements under Article 96(6) PSD2 Helene Oger-Zaher Consumer Protection, Financial Innovation and Payments, EBA

Chapter Five: Student Services and Operations AP 5800 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Contents. For Corporates Payment Services Directive II (PSD2)

Payment Services Directive: frequently asked questions

Regulations on Electronic Fund Transfer 2014

Customer Protection Policy (Unauthorized Electronic Banking Transactions)

The Eurosystem oversight policy framework

Guidelines for Electronic Retail Payment Services (ERPS 2)

Ball State University

Eurosystem oversight report 2014

ADMINISTRATIVE PROCEDURE 5800 DESERT COMMUNITY COLLEGE DISTRICT

Secure Payment Transactions based on the Public Bankcard Ledger! Author: Sead Muftic BIX System Corporation

Customer Relations Policy

Dear Sirs, Response to the Review of the AML/CTF Regime Issues Paper

SEPA INSTANT CRED IT TRANSFER (SCT INST) SCHEME RULEBOOK

Visa response EBA public consultation on the draft RTS on Strong Customer Authentication

THE COOPER UNION FOR THE ADVANCEMENT OF SCIENCE AND ART. February 24, 2010

AP 5800 PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Revision of the Payment Services Directive (PSD2) Krzysztof Zurek and Silvia Kersemakers DG FISMA, European Commission PSMEG meeting 3 December 2015

North East Small Finance Bank

Prevention of Identity Theft in Student Financial Transactions

WE WERE WAITING FOR YOU.

Rapport ECB Recommendation on Security for Internet Payments Swedbank Response Specification/version: v

Innovation in Payment Services: The Role of EU Policies

UNIVERSITY OF DENVER POLICY MANUAL IDENTITY THEFT PREVENTION

PayU S.A. Tel , Grunwaldzka Str Poznań Poland

EBA mandate on the RTS on strong customer authentication & secure communication Status update

Australia Post Load&Go China Card Short-Form Product Disclosure Statement

Retail Payments in Europe: SEPA as efficiency driver

EUROPEAN COMMISSION Directorate General Internal Market and Services

The Terms and Conditions of the Internet Bank Agreement. for Private Persons

Payment Card Industry Training 2014

IDENTITY THEFT DETECTION POLICY

GUIDELINES ON AUTHORISATION AND REGISTRATION UNDER PSD2 EBA/GL/2017/09 08/11/2017. Guidelines

Customer Relations Policy

WASHTENAW COMMUNITY COLLEGE IDENTITY THEFT DETECTION, PREVENTION, AND MITIGATION PROGRAM

GETTING STARTED WITH PAYMENT STATISTICS

Guidance for implementation of the revised Payment Services Directive. PSD2 guidance

EXHIBIT A IDENTITY THEFT PREVENTION PROGRAM

Fitchburg State College Identity Theft Prevention Program updated 11/17/09

Changes introduced in respective documents are presented in the table below.

Bank of Mauritius. National Payment Switch

Visa s Approach to Card Fraud and Identity Theft

ADVANTAGES OF A RISK BASED AUTHENTICATION STRATEGY FOR MASTERCARD SECURECODE

A report showing the merchant s settlement. The acquirer settlement report is generated by the acquiring bank at the end of every billing cycle.

Business Debit Terms and conditions

The Federal Identity Theft Red Flag Rules and North Carolina Local Health Departments

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

POLICY SUMMARY FORM. Unit(s) Responsible for Policy Implementation: Vice President for Finance and Administration

Financial Transaction

Payment and Settlement Systems Developments and Challenges

Interim results presentation 2017

SPUERKEESS

IDENTITY THEFT RED FLAG POLICY/GUIDELINES JULY 2008

AS SEB Pank. Terms and conditions of the Internet Bank for private clients. Content. Valid as of

GENERAL TERMS AND CONDITIONS FOR THE USE OF VISA AND/OR MASTERCARD CARDS

CUSTOMER PROTECTION POLICY FOR LIMITING LIABILITY OF CUSTOMERS IN UNAUTHORISED ELECTRONIC BANKING

American Express SafeKey Frequently Asked Questions

H 7789 S T A T E O F R H O D E I S L A N D

DATA PROCESSING ADDENDUM

Identity Theft Prevention Program

IV:07:11 IDENTITY THEFT PREVENTION POLICY SECTION 1: BACKGROUND

TERMS AND CONDITIONS FOR FINNISH E-INVOICE SERVICE FOR CORPORATE CUSTOMERS

PAYMENT SYSTEM DEPARTMENT PAYMENT SYSTEM OVERSIGHT

ELECTRONIC SIGNATURE REQUIREMENTS FOR LENDERS

Red Flags Rule Identity Theft Training Program

APPLICATION FOR DATA BREACH AND PRIVACY LIABILITY, DATA BREACH LOSS TO INSURED AND ELECTRONIC MEDIA LIABILITY INSURANCE

Frequently Asked Questions. (For information purposes only) Banque centrale du Luxembourg

General agreement terms and conditions 1 (9) governing services with access codes

CASH MANAGEMENT SCHEDULE WIRE TRANSFER SERVICES ON SANTANDER TREASURY LINK

Note: Action items are italicized

Spheria Australian Smaller Companies Fund

BUSINESS INTERNET BANKING

EU Commission consultation on Access to Basic Payment Account Swedbank Group response

card fraud business Helpful information for Merchants Avoiding card fraud

PREVENTION OF IDENTITY THEFT IN STUDENT FINANCIAL TRANSACTIONS

Transcription:

The European Forum on the security of retail payments Pierre Petit Payment Forum Helsinki, 10 May 2012 Outline I. Origin and mandate II. Recommendations for the security of internet payments III. Future work 2

1. Origin and mandate The Forum: a platform for cooperation between central bank overseers and supervisors The role of the central bank The role of the supervisor The role of the market 3 1. Origin and mandate The role of the central bank The payment system function is one of the three basic functions of the central bank Its objective is to promote safety and efficiency of the payment system The role of the overseer is to monitor systems and instruments, assess them against standards or recommendations, and foster change (when necessary) 4

1. Origin and mandate The role of the supervisor Protection of depositors The role of the market Level playing field in security of retail payments 5 1. Origin and mandate Mandate of the Forum Facilitate common understanding among authorities of issues relevant to the security of retail payments Develop recommendations 6

II. Recommendations for the security of internet payments Scope Addressees Implementation Three domains 7 II. Recommendations for the security of internet payments First domain: Governance Risk identification and assessment Monitoring and reporting Control and mitigation Traceability Second domain: Initial customer identification Strong authentication 8

II. Recommendations for the security of internet payments Transaction monitoring and authorisation Protection of sensitive payment data Third domain: Customer education and communication Notifications, limits Verification of payment by customer 9 III. Future work Future work includes Access to payment accounts Mobile payments 10

III. Future work Why look at access to payment account? EC Green Paper It is a market reality, not yet covered by the legal framework (Payment Services Directive) Security and efficiency of payments are key concerns of the Eurosystem 11 III. Future work Technical access channel Customer s online banking interface Dedicated interface provided by the account issuer for information purposes p Account aggregation service*) for payment transaction purposes Overlay payment service Online banking e-payment service *) Some account aggregation services use a dedicated interface as well. 12

III. Future work Objectives of the work on payment account access Identification of threats to confidentiality, integrity, and availability of information, which may put privacy and money of the customer in danger Identification of possible mitigation measures 13 Annex I: Recommendations for the security of internet payments Governance Internet payment services security policy. Risk identification and assessment Thorough risk identification and vulnerability assessments Monitoring and reporting Risk control and mitigation Central monitoring and follow-up of security incidents, incl. customer complaints Reporting to management and competent authorities Implementation of multiple l layers of security defences measures mitigating i i the identified risks Traceability Appropriate tracing of all transactions 14

Annex I: Recommendations for the security of internet payments Initial customer identification, information Customer identification prior granting access to the services. PSPs should provide adequate prior and regular information to the customer about the necessary requirements (e.g. equipment, procedures) for performing secure internet payment transactions and the inherent risks. Strong customer authentication Enrolment for & provision of strong authentication tools Internet payment services should be initiated by strong customer authentication. Examples for exemptions: trusted beneficiaries included in white lists purely consultative services, with no display of sensitive customer or payment information For cards based on a fraud risk analysis and the usage of CVx2 Enrolment in a safe and trusted environment (e.g. face-to-face, secure website) Secure delivery of personalised security credentials or related devices and software Card holders should have the option to register for strong authentication independently of a specific internet purchase. Bypassing of enrolment only in exceptional cases 15 Annex I: Recommendations for the security of internet payments Log-in attempts, session timeout, validity of authentication Transaction monitoring and authorisation Protection of sensitive payment data limit the number of authentication attempts, define rules for payment session time out set time limits for the validity of authentication Real-time fraud detection and prevention systems to identify suspicious transactions Card payment schemes in cooperation with acquirers should elaborate a harmonised definition of e-merchant categories and require integration in the authorisation message. Sensitive payment data should be protected when stored, processed or transmitted. Acquirers should encourage e-merchants not to store any sensitive card payment data or require them to have the necessary measures in place to protect these data. Customer education and communication Customer alerts and notifications, setting of limits for internet payment transactions 16

Annex II: Oversight of electronic retail payments Existing oversight expectations Expectations in development /under consideration Payment in strument Terminals Access channel Remote Out of scope contact technology contactless via internet via other technology communication networks Credit transfer Oversight framework for access by the account holder directly and (e.g. voice) CT in person Direct debit Oversight framework for DD e.g. proximity mobil payments access to the payment account involving a third party provider E- mandate issued in the online banking environment Creditor based E-mandate flow (e.g. voice) Cards Oversight framework for All cards, including the charging of wallet (e.g. voice) (physical, virtual) cards solutions; except business cards E-money (physical, virtual) Other (e.g. closed loop, billing systems, consultative services) EMSSO, Harmonised approach &standards for PI Review ongoing (adjustments for virtual e- money) e.g. ticketing, transport only for charging of e-money accounts no harmonised standards for transfers of e-money between two e-money accounts) e.g. account aggregation e.g. SMS 17 Annex III: Retail payment systems and payment instruments oversight relevant frameworks* Aug 1998: Report on electronic money May 2003: Electronic money system security objectives according to the common criteria methodology (EMSSO report) Jun 2003: Oversight standards for euro retail payment systems Jun 2006: Business continuity oversight expectations for systemically important payment systems (SIPS) Jan 2008: Oversight framework for card payment schemes standards (CPS) Feb 2009: Eurosystem oversight policy framework Feb 2009: Harmonised oversight approach and oversight standards for payment instruments Oct 2010: Oversight frameworks for direct debits and credit transfer schemes Mar 2012: Oversight expectations for links between retail payment systems (Consultation) Apr 2012: Recommendations for the security of internet payments (Consultation) * http://www.ecb.europa.eu/pub/pub/paym/html/index.en.html 18

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback