EU Implementing Minimum Authentication Standards for PSPs

The European Central Bank has drafted a set of recommendations to increase the security of online transactions in the European Union. The expectation is to implement these recommendations as minimum standards for online payment security which internet payment service providers in the EU must meet by mid-2014.


The European Central Bank’s primary goal with this initiative is to establish a harmonized minimum level of security that stretches across the entire EU. The recommendations focus on “the whole processing chain of electronic retail payment services (excluding cheques and cash), irrespective of the payment channel,” as stated in the Recommendations for the Security of Internet Payments document published by the ECB. The recommendations and standards apply to all payment service providers offering internet payment services, this includes internet card payments (including virtual cards and card data registered in e-wallets), online credit transfers and ACH/direct debit internet payments.


The EU’s Central Bank makes 14 recommendations, categorized as either key considerations or best practices, and these recommendations are to be implemented by July 1, 2014. These recommendations are based on four guiding principles: First, PSPs should perform assessments of the risks associated with providing payment services over the internet and this should be regularly updated as the internet and security threats continue to evolve.


The second principle is centered on strong customer authentication. The recommendations define three elements related to authentication: knowledge, ownership and inherence. Knowledge refers to something only the user knows (such as a password), ownership refers to something only the user possesses (such as their mobile phone) and inherence refers to something the user is (such as a biometric reading). It is recommended that at least two of these elements are used for strong authentication, although PSPs will be able to use less stringent authentication techniques for outgoing payments to trusted parties or white listed accounts.


The third principle is that PSPs should have effective processes for authorizing transactions and for monitoring transactions to identify abnormal patterns and fraud. The fourth principle is that PSPs should engage in customer education and awareness programs.


For more information:


European Central Bank: Recommendations for the Security of Internet Payments