The European Banking Authority (EBA) has published its final Guidelines on security measures for operational and security risks of payments services under the revised Payment Services Directive (PSD2).

The guidelines set out the requirements that payment service providers should implement in order to mitigate operational and security risks derived from the provision of payment services. Guideline 1 defines a general principle on proportionality. This is then followed by Guidelines 2 to 9, which cover governance, including the operational and security risk management framework, the risk management and control models, and outsourcing; risk assessment, including the identification and classification of functions, processes and assets; and the protection of the integrity and confidentiality of data and systems, physical security and access control.

Furthermore, the Guidelines cover the monitoring, detection and reporting of operational or security incidents; business continuity management, scenario-based continuity plans including their testing and crisis communication; the testing of security measures; situational awareness and continuous learning; and the management of the relationship with payment service users.

The Guidelines apply from 13 January 2018.

View EBA publishes final guidelines on security measures under PSD2, 12 December 2017