This document presents the “Guidelines on the security of internet payments” issued by the European Banking Authority the 19th December 2014. The Guidelines are based on the recommendations of the European Forum on the Security of Retail Payments (SecuRe Pay), a voluntary cooperative initiative set up by the ECB and comprising relevant authorities from the European Economic Area (EEA). The guidelines set the minimum security requirements that Payment Services Providers in the EU will be expected to implement by 1 August 2015, including considering services related to cards, credit transfers, e-mandate and e-money.

1. Haga clic para modificar el estilo de título del patrón
European Banking Authority
Guidelines on the Security
of Internet Payments
Public presentation

2. Haga clic para modificar el estilo de título del patrónDocument summary
Document summary
This document presents the “Guidelines on the security
of internet payments” issued by the European Banking
Authority the 19th December 2014.
The Guidelines are based on the recommendations of
the European Forum on the Security of Retail Payments
(SecuRe Pay), a voluntary cooperative initiative set up
by the ECB and comprising relevant authorities from the
European Economic Area (EEA).
The guidelines set the minimum security requirements
that Payment Services Providers in the EU will be
expected to implement by 1 August 2015, including
considering services related to cards, credit transfers, e-
mandate and e-money.
2
The Author
Juan Manuel Nieto Moreno
SIA Group Information Security
Technical Coordinator
Computer Engineer
CISA, CISM, LA BS7799, PCI-DSS QSA, ITIL v3
es.linkedin.com/in/jmnietomoreno

3. Haga clic para modificar el estilo de título del patrónContent summary
EBA Guidelines on the Security of Internet Payments
• Background information
• Scope and applicability
• Organization of the guidelines
• Conclusions
3

4. Haga clic para modificar el estilo de título del patrón
4
Background information
EBA Guidelines on the
Security of Internet Payments

5. Haga clic para modificar el estilo de título del patrónBackground information
Main actors
SecuRe Pay
(Security of Retail Payments) is a
voluntary cooperative initiative set up
by the European Central Bank and
comprising relevant authorities from
the European Economic Area (EEA) with
the aim of facilitating understanding of
issues related to the security of
electronic retail payment services.
European Banking Authority (EBA)
EBA is an independent EU Authority which works to ensure
effective and consistent prudential regulation and supervision
across the European banking sector.
Competent Authorities (CA)
CA refers, in general, to the national banks members of the
European System of Central Banks. E.g. Bank of Spain,
Deutsche Bundesbank Bundesanstalt, Financial Services
Authority, etc.
Payment Service Providers (PSP)
PSP refers to bodies as define in Article 1(1) of the Directive 2007/64/EC3, Payment Service Directive:
(a) credit institutions within the meaning of Article 4(1)(a) of Directive 2006/48/EC ;
(b) electronic money institutions within the meaning of Article 1(3)(a) of Directive 2000/46/EC;
(c) post office giro institutions which are entitled under national law to provide payment services;
(d) payment institutions within the meaning of this Directive;
(e) the European Central Bank and national central banks when not acting in their capacity as monetary authority
or other public authorities;
(f) Member States or their regional or local authorities when not acting in their capacity as public authorities.
5

6. Haga clic para modificar el estilo de título del patrónBackground information
From the SecuRe Pay recommendations to the EBA Guidelines
In January 2013, the European Forum on
the Security of Retail Payments, SecuRe Pay
(set up in 2011), developed a set of
recommendations to improve the security
of internet payments. The
recommendations should be implemented
by 1 February 2015 and addressees are
expected to comply with them all or to be
able to explain and justify any deviation.
This Forum is formed by all the national and
competent authorities within the European
Union (EU)/European Economic Area (EEA)
Member States. It’s aim is to facilitate
common knowledge and understanding, in
particular between supervisors of payment
service providers (PSPs) and overseers, of
issues related to the security of electronic
retail payment services and instruments.
In February 2014, the same Forum
developed an assessment guide based on
the recommendations, intended for those
supervisory and oversight authority staff of
the Member States while assessing
compliance.
Concerned about the increase in frauds
related to internet payments, the European
Banking Authority (EBA), a member of
SecurePay, agreed to convert the SecurePay
recommendations into EBA guidelines under
Article 16 of the EBA Regulation No
1093/2010 of the European Parliament and
of the Council of 24 24 November November
2010.
After a consultation process, the 19th
December 2014 the EBA published its
“Guidelines on the security of internet
payments”, with some minor deviations.
This provides a solid legal basis for the
security of internet payments across all EU
Member States while the revised Payment
Services Directive (known as PSD2) is
finalised in coming years (expected for
2017/18).
Payment Services Providers in the EU are
expected to implement these requirements
by 1st August 2015.
As established by the EBA, all Competent
Authorities (CA) across the EU are expected
to comply with the Guidelines by
incorporating them into their supervisory
practices and amending their legal
framework or their supervisory processes
accordingly.
According to Article 16(3) of the EBA
Regulation, CA must notify the EBA as to
whether they comply or intend to comply,
or otherwise with reasons for non-
compliance, within two months of the
translations of the final guidelines being
published.
Example of Bank of Spain:
In preparation to this, BoE requested to all
PSP a detailed report of compliance to be
sent before September 30th (using an Excel
template based on the February 2014
assessment guide published by SecuRe Pay).
6
SecuRe Pay European Banking Authority Competent Authorities

7. Haga clic para modificar el estilo de título del patrón
7
Scope and applicability
Guidelines on the security of internet payments

8. Haga clic para modificar el estilo de título del patrónScope and applicability
Mandatory condition
• The Regulation (EU) No 1093/2010 of the European Parliament and of the Council
of 24 November 2010 establish a European Supervisory Authority, that is the
European Banking Authority (EBA).
• In accordance with the Article 16.3, competent authorities and financial institutions
must make every effort to comply with the guidelines issues by the EBA.
• Within 2 months of the issuance of a guideline or recommendation, each
competent authority shall confirm whether it complies or intends to comply with
that guideline or recommendation. In the event that a competent authority does
not comply or does not intend to comply, it shall inform the Authority, stating its
reasons.
• Competent authorities should comply by incorporating them into their supervisory
practices as appropriate.
8
Bank of Spain case
Giving the previous context, the Bank of Spain has confirmed
its intention to comply with the guidelines and will require the
Spanish financial institutions to comply with them.

9. Haga clic para modificar el estilo de título del patrónScope and applicability
Scope of the guidelines
• The guidelines apply to the provision of payment services offered through the internet by
Payment Service Providers (PSP), as defined in the Art. 1 of the Directive 2007/64/EC3.
• Irrespective of the access device used:
9
Out of scope
Other internet services provided by a PSP via its
payment website (e.g. e-brokerage, online contracts);
Payments where the instruction is given by post,
telephone order, voice mail or using SMS-based
technology;
Mobile payments other than browser-based payments;
CTs where a third party accesses the customer’s
payment account;
Payment transactions made by an enterprise via
dedicated networks;
Card payments using anonymous and non-
rechargeable physical or virtual pre-paid cards where
there is no ongoing relationship between the issuer
and the cardholder;
Clearing and settlement of payment transactions.
In scope
Cards: the execution of card payments on
the internet, including virtual card
payments, as well as the registration of
card payment data for use in ’wallet
solutions’;
Credit transfers: the execution of credit
transfers (CTs) on the internet;
e-mandate: the issuance and
amendment of direct debit electronic
mandates;
e-money: transfers of electronic money
between two e-money accounts via the
internet.

10. Haga clic para modificar el estilo de título del patrónScope and applicability
Sensitive payment data definition
• The Guidelines do not list the data to be considered under the scope, as done, e.g., by Privacy
regulation, PCI DSS or similar frameworks.
• The entity being overseen or supervised (PSP) should provide the supervisor/overseer (CA) with a
list of the elements considered to be sensitive payment data. On the basis of this, the
overseer/supervisor will decide the sensitivity of the following on a case-by-case basis.
10
• In the context of the Guidelines, sensitive payment data definition is
“data which could be used to carry out fraud”. These includes*:
– data enabling a payment order to be initiated;
– data used for authentication;
– data used for ordering payment instruments or authentication
tools to be sent to customers;
– data, parameters and software which, if modified, may affect the
legitimate party’s ability to verify payment transactions,
authorise e-mandates or control the account, such as “black”
and “white” lists, customer-defined limits, etc.
* Notice that it depends on the circumstances under which the data are used to be
considered as sensitive payment data. See next slide.

11. Haga clic para modificar el estilo de título del patrónScope and applicability
Examples of potential sensitive payment data
• The following examples listed in the SecuRe Pay assessment guide could, depending on the
circumstances under which the data are used, be considered as sensitive payment data:
11
Data enabling a payment order to be
initiated
• Payment account identifiers of the customer
stored at the PSP (IBAN 7 or equivalent);
• The BIC should not be considered sensitive
data;
• Payment card data (PAN, expiry date, CVx2);
Data used for authentication
• Customer identifiers (e.g. client number or
log-in name);
• Passwords, codes, personal identification
numbers (PINs), secret questions,
• Reset passwords/codes;
• Phone number (mobile or landline, when
applicable);
• Certificates;
Data used for ordering payment
instruments or authentication tools to
be sent to customers, as well as;
• Client’s postal address;
• Phone number, e-mail address;
Data, parameters and software
• “Black” and “white” lists, customer-defined
limits, etc.
• Data outlined in (i), (ii) and (iii), depending
on applicability and methods used.

12. Haga clic para modificar el estilo de título del patrón
12
Organization of the guidelines
Guidelines on the security of internet payments

13. Haga clic para modificar el estilo de título del patrónThe guidelines
Brief summary of the Guidelines
• EBA Guidelines constitute harmonised, minimum security recommendations in the fight against
payment fraud and aim to increase consumer trust in internet payment services.
• The core recommendation is that the initiation of internet payments as well as access to
sensitive payment data should be protected by strong customer authentication to ensure
that it is a rightful user, and not a fraudster, initiating a payment.
• Highlighting the main provisions to required, we have:
13
Strong customer
authentication
log-in attempts
limits
Session and authenticators
‘time out’
Transaction monitoring
Defence base on
multiple layers
Customers awareness
Customers alerts
Security policies for
internet payments
Risks assessment
Incident monitoring
and reporting
Tracing of transactions
and e-mandates
Know Your
Customer policies
Customer information
Secure enrolment for and
provision of authentication
tools or customer software

14. Haga clic para modificar el estilo de título del patrónThe guidelines
Strong Customer Organization
• For the purpose of the Guidelines, “Strong customer authentication” is a procedure
based on the use of two or more of the following elements:
– Something only the user knows, e.g. static password, code, personal
identification number.
– Something only the user possesses, e.g. token, smart card, mobile phone.
– Something the user is, e.g. biometric characteristic, such as a fingerprint.
• Elements are categorised as knowledge, ownership and inherence.
• In addition, the elements selected must be mutually independent, i.e. the breach of
one does not compromise the other(s).
• At least one of the elements should be non-reusable and non-replicable (except
for inherence), and not capable of being surreptitiously stolen via the internet.
• The strong authentication procedure should be designed in such a way as to protect
the confidentiality of the authentication data.
14

15. Haga clic para modificar el estilo de título del patrónThe guidelines
Guidelines organization
• The SecuRe Pay Forum recommendations, as wells as the EBA Guidelines, include
14 recommendations, 54 key considerations (KC) and 12 best practices (BP).
• PSPs and the relevant market participants are encouraged, but not required, to adopt the BP.
• In addition, the SecuRe Pay guide includes several assessment questions for each KC, including
potentially relevant supporting documents that should be requested.
• Addressees are expected to "comply or explain", justifying any deviation. Although this
principle was specifically mentioned in the SecurePay document, it's been removed on the EBA
Guidelines. However, this principle is still applicable by the Art. 16 of Regulation (EU) No
1093/2010 that provides a ‘comply or explain mechanism’ for competent authorities.
15
5 recommendations 6 recommendations 3 recommendations
Guidelines 14 Recommendations
General Control and
Security Environment
Specific Control and
Security Measures
Customer awareness,
education and
communication

16. Haga clic para modificar el estilo de título del patrón
The first domain covers five recommendations and it is focused on
General controls and security environment. This part is closely
related to the security policy, the risk assessment report, change
management policy, incident management policy, audit
management and other high level procedures.
Recommendations
R1.- Governance: PSPs should implement and regularly review a formal security policy for internet
payment services.
R2.- Risk Assessment: PSPs should carry out and document thorough risk assessments with
regard to the security of internet payments and related services, both prior to establishing the
service(s) and regularly thereafter.
R3.- Incident monitoring and reporting: PSPs should ensure the consistent and integrated
monitoring, handling and follow-up of security incidents, including security-related customer
complaints. PSPs should establish a procedure for reporting such incidents to management and, in
the event of major payment security incidents, the competent authorities.
R4.- Risk control and mitigation: PSPs should implement security measures in line with their
respective security policies in order to mitigate identified risks. These measures should incorporate
multiple layers of security defences, where the failure of one line of defence is caught by the next
line of defence (‘defence in depth’).
R5.- Traceability: PSPs should have processes in place ensuring that all transactions, as well as
the e-mandate process flow, are appropriately traced.
The guidelines
General Controls and Security Environment
16

17. Haga clic para modificar el estilo de título del patrón
R6.- Initial customer identification, information: Customers should be properly identified in line
with the European anti-money laundering legislation and confirm their willingness to make internet
payments using the services before being granted access to such services. PSPs should provide
adequate ‘prior’, ‘regular’ or, where applicable, ‘ad hoc’ information to the customer about the
necessary requirements (e.g. equipment, procedures) for performing secure internet payment
transactions and the inherent risks.
R7.- Strong customer authentication: The initiation of internet payments, as well as access to
sensitive payment data, should be protected by strong customer authentication. PSPs should have
a strong customer authentication procedure in line with the definition provided in these guidelines .
R8.- Enrolment for and provision of authentication tools and/or software delivered to the
customer: PSPs should ensure that customer enrolment for and the initial provision of the
authentication tools required to use the internet payment service and/or the delivery of payment-
related software to customers is carried out in a secure manner..
R9.- Log-in attempts, session time out, validity of authentication: PSPs should limit the
number of log-in or authentication attempts, define rules for internet payment services session
‘time out’ and set time limits for the validity of authentication.
The second domain covers six recommendations and is related to
specific security issues, regarding technology implementations for
ensuring an acceptable security payment environment: customer
identification and authentication, access control policies,
monitoring procedures, etc.
The guidelines
Specific Controls and Security Measures (I)
17
Recommendations

18. Haga clic para modificar el estilo de título del patrón
R10.- Transaction monitoring: Transaction monitoring mechanisms designed to prevent, detect
and block fraudulent payment transactions should be operated before the PSP’s final
authorisation; suspicious or high risk transactions should be subject to a specific screening and
evaluation procedure. Equivalent security monitoring and authorisation mechanisms should also
be in place for the issuance of e-mandates.
R11.- Protection of sensitive payment data: Sensitive payment data should be protected when
stored, processed or transmitted.
The second domain covers six recommendations and is related to
specific security issues, regarding technology implementations for
ensuring an acceptable security payment environment: customer
identification and authentication, access control policies,
monitoring procedures, etc.
The guidelines
Specific Controls and Security Measures (II)
18
Recommendations

19. Haga clic para modificar el estilo de título del patrón
R12.- Customer education and communication: PSPs should provide assistance and guidance
to customers, where needed, with regard to the secure use of the internet payment services. PSPs
should communicate with their customers in such a way as to reassure them of the authenticity of
the messages received.
R13.- Notifications, setting of limits: PSPs should set limits for internet payment services and
could provide their customers with options for further risk limitation within these limits. They may
also provide alert and customer profile management services.
R14.- Customer access to information on the status of payment initiation and execution:
PSPs should confirm to their customers the payment initiation and provide customers in good time
with the information necessary to check that a payment transaction has been correctly initiated
and/or executed.
The third domain is related to one of the security cornerstones,
the awareness. The three recommendations are associated to how
the organization has vertebrate the education and communication
practices and to review the procedures placed with the aim of
guaranteeing the customer information and transactions security.
The guidelines
Customer awareness, education and communication
19
Recommendations

20. Haga clic para modificar el estilo de título del patrón
20
Conclusions
Guidelines on the security of internet payments

21. Haga clic para modificar el estilo de título del patrónConclusions
• Considering the rising levels of fraud observed in internet payments during
the last years, a timely and consistent regulatory response was necessary
while waiting for the revision of the Payment Services Directive.
• Latest pan-EU figures showed that fraud on card internet payments alone
caused €794 million of losses in 2012 (up by 21.2% from the previous year
– see ECB report).
• SecuRe Pay efforts on internet payments worked out on this direction. On
top of that, the EBA guidelines provide the legal basis for achieving a level
playing field for all PSPs across the EU.
• A significant aspect that most of the countries have been missing in the EU
for the last years is the need to share relevant information with customers,
as well as the benefit of reporting security incidents information with
authorities.
• Undoubtedly, every new framework requires time and effort to be
implemented. While most of the controls have been common practice for
all PSP, others may require new investments. Such is the case of the need
for strong customer authentication, where many PSP have reported to be
not compliant.
• However, the EBA Guidelines have been welcomed by all of the Competent
Authorities and it’s just about time to start noticing its effect as customers.
21
Guidelines
onthe
securityof
internet
payments

22. Haga clic para modificar el estilo de título del patrón
Thanks for your attention
For more information, feel free to contact
the author using Linkedin
es.linkedin.com/in/jmnietomoreno