The European Central Bank (ECB) has produced a public note on security of payment account access services. In the note, the ECB outlines the main outcome of an earlier consultation on recommendations for the security of mobile payments carried out by the European Forum on the Security of Retail Payments (SecuRe Pay). The note states that SecuRe Pay considered the responses to its consultation carefully and drew the following conclusions:

• third-party providers (TPPs) should be licensed and supervised;
• TPPs should ensure that customers are appropriately authenticated by relying on strong customer authentication;
• TPPs’ access to information on payment accounts should be limited to the minimum they need for their activity;
• TPPs and account servicing payment service providers (PSPs) should ensure mutual authentication when communicating in the context of providing payment account access services; and
• the non-sharing of the personal user credentials with the TPP would address the security concerns by some of the current interactions between TPPs and account servicing PSPs (AS PSPs).

The note mentions that SecuRe Pay recommends the development of an open standard for communication between TPPs and AS PSPs, which would allow consumers to use any TPP to access any PSP throughout the EU. This standard could be defined by the European Banking Authority (EBA) in close co-operation with the ECB. The standard should be finalised shortly after the entry into force, and prior to the transposition date, of the European Commission’s proposed Directive on payment services in the internal market (PSD2). As a result, all elements of SecuRe Pay’s recommendations can be applied at the same time.

View Public note on security of payment account access services, 18 March 2014