The new guidance (130-page / 1.19MB PDF) sets out in more detail the arrangements that all businesses subject to the revised Payment Services Directive (PSD2) should put in place to address operational and security risks to payment services.
Payments and technology law expert Angus McFadyen of Pinsent Masons, the law firm behind Out-Law.com, said: "These rules complement the better known and more controversial rules around strong customer authentication. They set the standards that behind-the-scenes processes and procedures must meet."
"Much of what is in the rules represents existing good practice in established operators – the challenge for them, and new operators, is being careful in how they apply the rules in a proportional way to their operations. Regulators and auditors don’t tend to be too generous when making such assessments," he said.
The finalised guidelines cover measures to prevent operational and security incidents, and encompass aspects of security such as controls on access to systems and data, checks that systems used for providing payment services are up-to-date, and the application of "critical security patches".
The guidelines also cover arrangements businesses should implement to detect "anomalous activities", and further steps the firms should take to provide for business continuity in the event of an incident occurring. The guidelines further outline risk assessment and security testing protocols that firms should follow.
The EBA also explained that payment service providers (PSPs) must ensure "appropriate and proportionate security objectives, measures and performance targets are built into contracts and service-level agreements" where they outsource operational functions of payment services, including IT systems, to third parties.
The guidelines apply to all PSPs, which includes banks and other businesses that operate payment accounts, as well as new payment initiation service providers (PISPs) and account information service providers (AISPs), the EBA said. PISPs and AISPs will, via PSD2, be subject to regulation under payment services laws for the first time.
The security measures that individual firms have to implement "may differ between PSPs depending on their size, and the nature, scope complexity and riskiness of the particular service(s) they provide or intend to provide", the EBA said. The measures themselves must be subjected to periodic auditing, it said.
"The security measures set out in these guidelines should be audited by auditors with expertise in IT security and payments and operationally independent within or from the PSP," the EBA said. "The frequency and focus of such audits should take the corresponding security risks into consideration."
In respect of governance, the guidelines require PSPs to establish a "risk management framework" which should "focus on security measures to mitigate operational and security risks and should be fully integrated into the PSP’s overall risk management processes".
The framework should comprise a "comprehensive security policy document", reflect the risk appetite of the firm, and involve the allocation of roles and responsibilities and lines of reporting to "enforce the security measures and to manage security and operational risks", the EBA said.
In addition, it should "establish the necessary procedures and systems to identify, measure, monitor and manage the range of risks stemming from the payment-related activities of the PSP and to which the PSP is exposed, including business continuity arrangements".
PSPs also face a new duty to "analyse operational or security incidents that have been identified or have occurred within and/or outside the organisation" and then "consider key lessons learned from these analyses and update the security measures accordingly", according to the new guidelines.
An 'operational or security incident' is defined in the guidelines as "a singular event or a series of linked events unplanned by the PSP which has or will probably have an adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of payment-related services".
Officially the guidelines will apply from 13 January 2018, which is the same date that the new PSD2 regime will have effect from. However, the EBA acknowledged that PSPs would "require time to implement the guidelines". As a result, it said the firms are "not expected to comply with the guidelines until the EBA has published the translations of the guidelines in all official EU languages, issued the compliance table, and the [national regulators] have implemented the guidelines into their national regulatory or supervisory frameworks".