EBA issued guidelines to strengthen requirements for the security of internet payments across the EU

19 December 2014

The guidelines set the minimum security requirements that Payment Services Providers in the EU will be expected to implement by 1 August 2015.

Among various measures aimed at more efficient and secure internet payments across the EU, the EBA guidelines require in particular that Payment Service Providers (PSPs) carry out strong customer authentication in order to verify the customer identity before proceeding with an on-line payment, one of the key measures to prevent internet fraud, be it through banking services or internet card payments. These Guidelines, which are based on the technical work carried-out by SecuRe Pay -the voluntary cooperation forum reuniting central banks and supervisors of Payment Service Providers -, will be applicable to all PSPs across the EU in a consistent manner as of August 2015.

The EBA decided to issue these Guidelines because of the rising levels of fraud observed in internet payments. Latest pan-EU figures showed that fraud on card internet payments alone caused €794 million of losses in 2012 (up by 21.2% from the previous year). A timely and consistent regulatory response was therefore needed while waiting for the revision of the Payment Services Directive which aims at creating a more secure, competitive and consumer-friendly rules for payments in the EU.

Geoffroy Goffinet at the EBA Consumer Protection Unit explained that: "the EBA guidelines on internet payments provide the legal basis for achieving a level playing field for all PSPs across the EU. Through this piece of work, the EBA looked into supporting the development of e-commerce across the EU, while ensuring proper protection of consumers."

PSPs will also be required to provide assistance and guidance to their customers in relation to the secure use of internet payment services. In particular, they will have to initiate customer awareness programmes so as to ensure that their users understand risks and best practices in internet payments.

Regarding consumer data protection, the Guidelines foresee that PSPs offering card payment services to e-merchants should encourage them not to store any sensitive payment data or require that they have the necessary measures in place to protect these data. PSPs should also carry out regular checks and if they become aware that an e-merchant handling sensitive payment data does not have the required security measures in place, they should take steps to enforce this as a contractual obligation or terminate the contract.

All competent authorities across the EU are expected to comply with these Guidelines by incorporating them into their supervisory practices and amending their legal framework or their supervisory processes accordingly.

Press release

Final guidelines


© EBA