Guidelines on Internet Payments’ Security

Author info

In mid-December 2014, the European Banking Authority (EBA) published its final guidelines on the security of internet payments. They set out the minimum security requirements that Payment Services Providers in the EU will be expected to implement by 1 August 2015.

According to the EBA, fraud related to just Internet card payments is high and growing; in 2012 there were EUR 794 million in fraud losses (up 21.2% on the previous year) for so-called “card-not-present” fraud. These figures illustrate that a lack of security is continuing to undermine the consumer and merchant confidence in payment systems and that a timely and consistent regulatory response is required.

The new EBA guidelines are based on the previously-issued SecuRe Pay recommendations. The Payment Services Directive (PSD2) may introduce more stringent requirements at a later stage, i.e. the idea being that the new guidelines will bridge the gap until the PSD2 enters into force.

The guidelines include, in particular, requirements that Payment Service Providers (PSPs) use strong customer authentication to verify customer identity before proceeding with an on-line payment.

The guidelines also suggest that eCommerce merchants increase their efforts to protect sensitive customer data, for example by not storing payment information.

The national financial services authorities will have to ensure that the PSPs respect the new guidelines.

The time.lex blog has previously analysed the earlier developments mentioned, including PSD2 and secure payment authentication.

For further information on this legal development please contact Edwin Jacobs at (

This publication does not necessarily deal with every important topic or cover every aspect of the topics with which it deals and is not designed to provide legal or other advice.