The European Central Bank (ECB) has published a report which contains final recommendations that are intended to improve the security of payment account access services. The final recommendations complement the recommendations for the security of internet payments that were published in 2012.
The report sets out final recommendations and then further outlines key considerations. It also includes some best practices that third party providers (TPPs), governance authorities, account servicing payment service providers (PSPs) and other relevant market participants are encouraged to adopt.
The final recommendations are, unless otherwise stated, applicable to all TPPs providing payment account access services, irrespective of the device used. However, certain recommendations, where indicated, are applicable to governance authorities of payment systems and/or to account-servicing PSPs.
Excluded from the scope of the report are:
- similar services provided by an account-servicing PSP to its account owners without the involvement of a third party service provider;
- internet services other than online payment and/or account information services provided by a PSP via its payment website (e.g. e-brokerage, online contracts);
- mobile payments which are not payment account access services;
- digital or mobile wallets (except when being used for payment account access services);
- payment transactions made by an enterprise via dedicated networks; and
- retail payment clearing and settlement systems.
The recommendations constitute minimum expectations. They are without prejudice to the responsibility of TPPs, governance authorities, account-servicing PSPs and other market participants to monitor and assess the specific risks involved in their service operations, develop their own detailed security policies and implement adequate security, contingency, incident management and business continuity measures that are commensurate with the risks inherent in the payment account access services provided.