The European Central bank has issued a set of recommendations to promote the security of payments made over the Internet.
The guidelines - applicable to all Payments Services Providers as defined in the EU-wide Payment Services Directive - outline 14 key recommendations that are designed to act as a set of minimum expectations. Implementation will be overseen by national supervisory authorities on a voluntary co-operative basis and based on the existing legal frameworks in host countries.
The recommendations are organised into three broad categories, covering general control and security, specific control and security measures for every step of the payment transaction process, and customer awareness, education and communication.
At the core of the proposals is a commitment to two-factor authentication as a mimimum requirement to verify the identity of a customer. Measures may include the use of passwords and PINs; tokens, cards and mobile phones; and biometrics.
"Where there is no or weak authentication procedure in place, in the event of a disputed transaction, PSPs cannot provide proof that the customer has authorised the transaction," states the report. "When strong authentication is used, it is for the issuer to prove that the cardholder has acted with gross negligence or intent."
It suggests the introduction of a liability shift in the Payment Services Directive to acknowledge the issue and further calls on the European Commission to set up an EU-wide utility for reporting and sharing information related to data security breaches.
Interested parties are invited to comment on the draft by 20 June 2012.
Read the full report:Download the document now 960.6 kb (PDF File)