Recommendations of the European Central Bank on Internet Payment Security

1 Recommendations on Internet Payment Security Final version after public consultation Polish language version

1 General Part This report presents a set of recommendations aimed at raising the level of security of internet payments. These recommendations were developed by the Secure Payment Forum (SecuRe Pay – European Forum on the Security of Retail Payments; hereinafter the Forum). The Forum was established in 2011 as a voluntary cooperation initiative among supervisory authorities. Its objective is to promote knowledge and a uniform understanding – particularly among supervisors of payment service providers – regarding issues related to the security of electronic retail payment services and instruments provided in the Member States of the European Union (EU) / the European Economic Area (EEA). The Forum's work focuses on the entire processing chain of electronic retail payment services (excluding cheques and cash), regardless of the type of electronic channel. The Forum aims to address areas where significant weaknesses and vulnerabilities are identified, and, where appropriate, to issue recommendations. The ultimate goal is to support the creation of a harmonized minimum level of security in the EU / EEA. The supervisory authorities participating in the Forum's work are listed in the annex. Given that internet payments are currently perceived by regulators, legislators, payment service providers, and the public as being associated with a higher incidence of fraud compared to traditional payment methods1, the Forum decided to develop recommendations on internet payment security. They reflect the experience of supervisory authorities in their home countries and take into account the results of public consultations.2

1 Currently available EU data on payment fraud is limited. However, according to the UK industry organization Financial Fraud Action UK and the French organization Observatoire de la sécurité des cartes de paiement, fraud in card payments made without the physical presence of the card has become the predominant group of payment fraud. See also: “Report on card fraud”, European Central Bank (July 2012). 2 Public consultations on the recommendations were conducted from mid-April to June 2012.

2 It is expected that the development of European harmonized recommendations on internet payment security will contribute to combating payment fraud and increasing consumer trust in internet payments. This report also defines good practices, to which payment service providers, payment system operators, and other market participants (e.g., internet merchants) are encouraged to implement. These good practices are important because the security of internet payments depends on the responsible behavior of all market participants. Scope and Addressees Unless otherwise indicated, the recommendations and descriptions of key issues and good practices contained in this report apply to all payment service providers – as defined in the Payment Services Directive3 – providing internet payment services, as well as to payment system operators4 (including card payment systems, transfer systems, direct debit systems, etc.). The aim of this report is to define common, minimum requirements for the internet payment services listed below, regardless of the access device used: • [cards] execution of card payments over the internet, including the use of virtual cards, as well as the storage of card payment data for use in “virtual wallets”; • [credit transfers] execution of credit transfers over the internet; • [direct debits] issuance and modification of electronic direct debits; • [e-money] e-money transfers between two accounts via the internet. Payment integrators5 offering payment initiation services are considered as settlement agents in the context of internet payment services (and thus as payment service providers), or as external technical service providers of the relevant payment systems. In the latter case, payment integrators should be contractually obliged to comply with the recommendations. Excluded from the scope of application of the recommendations, key issues, and good practices are: • other internet services provided by payment service providers through their websites (e.g., electronic brokerage and investment services, online contracts); • payments ordered via traditional mail, telephone, voice mail, or using SMS-based technology;

3 Directive 2007/64/EC of the European Parliament and of the Council of 13 November 2007 on payment services in the internal market amending Directives 97/7/EC, 2002/65/EC, 2005/60/EC and 2006/48/EC and repealing Directive 97/5/EC. 4 A payment system operator is responsible for the overall functioning of the system promoting a given payment instrument and for ensuring that all parties act in accordance with the rules of the system. Furthermore, it is responsible for ensuring the system's compliance with supervisory standards. “Harmonised oversight approach and oversight standards for payment instruments”, European Central Bank (February 2012). 5 Payment integrators provide payees (i.e., merchants) with a standardized interface for payment initiation services provided by payment service providers.

3 • mobile payments other than those executed using a web browser6; • credit transfers where a third party accesses the client's payment account; • payment transactions carried out by enterprises via dedicated networks; • card payments made using anonymous, one-time physical or virtual prepaid cards, where there is no enduring relationship between the issuer and the cardholder; • settlement of payment transactions. Guiding Principles The recommendations are based on four guiding principles. First, payment service providers and payment system operators should conduct detailed assessments of the risks associated with providing internet payment services, which should be regularly updated in accordance with changes in internet security threats and fraud mechanisms. Risks in this area have been identified in the past, for example, by the Bank for International Settlements (BIS) in 20037 and by the Federal Financial Institutions Examination Council (FFIEC) in 2005 and 20118,9. However, due to the pace of technological progress and the introduction of new internet payment methods, and the fact that criminals have become more organized and their attacks more sophisticated, regular assessment of these risks is extremely important. Second, the general rule is that the initiation of internet payments and access to sensitive payment data should be protected by strong customer authentication. For the purposes of this report, sensitive payment data is defined as data that can be used to commit fraud, including data enabling the initiation of a payment order, data used for authentication, data used by customers to order payment instruments or authentication tools, as well as data, parameters, and software that – if modified – could affect the ability of the authorized party to verify payment transactions, authorize credit transfers, or control accounts, such as “black” or “white” lists, customer-defined limits, etc. Strong customer authentication is a procedure based on two or more of the following elements – classified as knowledge, possession, and inherence of the customer: i) something only the user knows, e.g., static password, code, personal identification number; ii) something only the user possesses, e.g., token, smart card, mobile phone; iii) something the user is, e.g., based on biometric characteristics such as a fingerprint. Additionally, the selected elements must be mutually independent, i.e., a security breach of one does not compromise the others. At least one of the elements must be impossible to reuse and impossible to replicate (with the exception of inherence characteristics), as well as impossible to obtain covertly and without authorization via the internet. The strong customer authentication procedure should be designed to ensure the confidentiality of authentication data. From the Forum's perspective, payment service providers lacking or having only weak authentication procedures cannot – in the event of a disputed transaction – provide proof that the user authorized the transaction. Third, payment service providers should implement effective transaction authorization processes, as well as transaction and system monitoring to identify atypical customer payment behavior patterns and counteract fraud. Fourth, payment service providers and payment system operators should engage in programs to educate and raise customer awareness regarding security issues related to the use of internet payment services, with a view to enabling customers10 to use such services safely and effectively. To allow for adaptation to continuous technological innovation, the recommendations have been formulated as generally as possible. However, the Forum is aware that new threats may arise at any time, and therefore the recommendations will be reviewed periodically. This report does not specify particular technical or security solutions, nor does it redefine or suggest changes to existing industry technical standards or supervisory expectations in the areas of data protection and business continuity. When assessing compliance with the recommendations, supervisory authorities may take into account compliance with relevant international standards. Although the recommendations point to certain solutions, the same results can be achieved by other means. The recommendations presented in this report define minimum expectations. They do not limit the liability of payment service providers, payment system operators, and other market participants for monitoring and assessing risks associated with their payment operations, developing their own detailed security policies, and implementing appropriate security measures, contingency planning, incident management, and business continuity plans, commensurate with the risks associated with the payment services provided.

10 Customers refer to both consumers and businesses for whom payment services are provided.

5 Implementation This report contains 14 recommendations aimed at promoting internet payment security. Each recommendation is clarified by descriptions of so-called “Key Considerations” (KC), which should be read together with the recommendations to fully understand the minimum expectations for compliance. Addressees are expected to comply with both the recommendations and the key considerations, or to be able to explain and justify any non-compliance upon request by the relevant supervisory authorities (the “comply or explain” principle). Furthermore, the report presents Good Practices (GP), to which payment service providers, payment system operators, and relevant market participants are encouraged to apply. The legal basis for the implementation of the recommendations by national supervisory authorities is national legislation transposing the Payment Services Directive and/or existing supervisory competences of the relevant authorities. Forum members feel obliged to support the implementation of the recommendations in their countries and will include them in their supervision. The Forum will also strive to ensure effective and consistent implementation across countries and may cooperate with relevant authorities for this purpose. The recommendations should be implemented by payment service providers and payment system operators by 1 February 2015, although national authorities may, where appropriate, set a shorter transitional period. Structure of the Report The recommendations are divided into three categories: General Control and Security Environment of Platforms Supporting Internet Payment Services. Within their risk management procedures, payment service providers should assess the adequacy of internal control mechanisms in the context of internal and external risk scenarios. Recommendations belonging to the first category relate to issues concerning corporate governance, identification and risk assessment, monitoring and reporting, control and risk mitigation, and traceability. Specific Control and Security Measures for Internet Payments. Recommendations belonging to the second category cover all stages of payment transaction processing, from accessing the service (solutions for customer information, registration, and authentication) to initiating, monitoring, and authorizing payments, as well as the protection of sensitive payment data. Awareness, Education, and Communication with Customers. Recommendations belonging to the third category concern customer protection; what customers should do upon receiving an unsolicited request for personal login data; how to use internet payment services safely; and how customers can verify whether a transaction was initiated and executed.

6 The report also contains a glossary of selected basic terms. The annex lists the members of the Forum. 2 Recommendations General Control and Security Environment Recommendation 1: Corporate Governance Payment service providers and payment systems should implement and regularly review a formal internet payment security policy. KC 1.1 The security policy should be appropriately documented and regularly reviewed (in accordance with KC 2.4) and approved by senior management. It should define security objectives and risk appetite. KC 1.2 The security policy should define roles and areas of responsibility, including the risk management function with direct reporting to the board level, and the chain of command for the provision of internet payment services, including the management of sensitive payment data with regard to risk assessment, control, and mitigation. GP 1.1 The security policy may be developed as a dedicated document. Recommendation 2: Risk Assessment Payment service providers and payment systems should conduct and document detailed risk assessments regarding internet payments and related services, both before introducing these services and regularly thereafter. KC 2.1 Payment service providers and payment systems should – through their risk management functions – conduct and document detailed risk assessments regarding internet payments and related services. Payment service providers and payment systems should take into account the results of current monitoring of security threats for offered and planned internet payment services, considering: i) the technological solutions used, ii) services provided by external suppliers, and iii) the client's technical environment. Payment service providers and payment systems should investigate risks associated with selected technological platforms, application architecture, programming techniques, and procedures, both on their side11 and on the clients' side12, as well as the results of the security incident monitoring process (see: Recommendation 3).

11 Such as system vulnerability to session hijacking, “SQL injection”, “cross-site scripting”, buffer overflow, etc. 12 Such as risks associated with the use of multimedia applications, browser add-ons, frames, external links, etc.

7 KC 2.2 Based on this, payment service providers and payment systems should determine whether and to what extent it may be necessary to introduce changes to existing security measures, technologies, and procedures, or offered services. Payment service providers and payment systems should consider the time required to implement these changes (including on the clients' side) and take appropriate steps during the transitional period to minimize security incidents and fraud cases, as well as potential disruptive effects. KC 2.3 The risk assessment should relate to the needs for protection and securing of sensitive payment data. KC 2.4 Payment service providers and payment systems should review risk scenarios and existing security measures following significant incidents affecting the services they provide, before introducing significant changes to infrastructure or procedures, and after identifying new threats through risk monitoring. Additionally, a general review of the risk assessment should be conducted at least once a year. The results of the risk assessment and reviews should be approved by senior management. Recommendation 3: Monitoring and Reporting of Incidents Payment service providers and payment systems should have a consistent and integrated approach to monitoring, handling, and following up on incidents, including customer complaints related to security. Payment service providers and payment systems should develop a procedure for reporting such incidents to senior management and – in the case of significant security incidents concerning payments – to supervisory authorities. KC 3.1 Payment service providers and payment systems should introduce a process for monitoring, handling, and following up on security incidents and customer complaints related to security, and report such incidents to management. KC 3.2 Payment service providers and payment systems should have a procedure for immediately informing the competent authorities (i.e., supervisory authorities and data protection authorities), where they exist, in the event of significant security incidents concerning the payment services provided. KC 3.3 Payment service providers and payment systems should have a procedure for cooperation with competent law enforcement authorities regarding significant security incidents, including data breaches. KC 3.4 Payment service providers acting as settlement agents should require merchants storing, processing, or transmitting sensitive payment data to cooperate regarding significant payment security incidents (including data breaches) with both payment service providers and competent law enforcement authorities. If a payment service provider becomes aware that a merchant is not cooperating in accordance with contractual requirements, it should take steps to ensure the merchant fulfills its contractual obligations or terminate the contract.

8 Recommendation 4: Control and Risk Mitigation Payment service providers and payment systems should implement security measures in accordance with developed security policies to counteract identified risks. These measures should include multiple lines of defense, where the failure of one line of defense is compensated by another. KC 4.1 When designing, developing, and maintaining internet payment services, payment service providers and payment systems should pay particular attention to the appropriate segregation of duties in IT environments (e.g., development, test, and production environments) and the proper implementation of the principle of least privilege13 as the basis for correct identity and access management. KC 4.2 Payment service providers and payment systems should have appropriate security solutions aimed at protecting networks, websites, servers, and communication links from fraud and attacks. Payment service providers and payment systems should disable all unnecessary functions on servers to protect them (“hardening”) and eliminate or limit vulnerabilities of exposed applications. Access of different applications to data and resources should be limited to the minimum necessary, in accordance with the principle of least privilege. To limit the use of fake websites (imitating real websites of payment service providers), transactional websites providing internet payment services should be identified by extended validation certificates from internet service providers or similar authentication methods. KC 4.3 Payment service providers and payment systems should implement appropriate processes for monitoring, tracking, and restricting access to: i) sensitive payment data, and ii) critical logical and physical resources, such as networks, systems, databases, security modules, etc. Payment service providers should create, store, and analyze appropriate event logs and audit trails. KC 4.4 When designing14, developing, and maintaining internet payment services, payment service providers should ensure that a key element of basic functionality is data minimization15: the collection, transmission, processing, storage, and/or archiving, and visualization of sensitive payment data should be kept to a minimum.

13 “Every program and every user of the system should operate using the smallest amount of privilege necessary to complete the action.” See: J. H. Saltzer, “Protection and the Control of Information Sharing in Multics”, “Communications of the ACM”, Vol. 17, No. 7, July 1974. 14 Designing includes the initial design phase as well as subsequent modifications. 15 Data minimization means that only data strictly necessary for the specific purpose should be collected, processed, and stored.