BaFin publishes a circular on the minimum requirements for the security of internet payments


The circular of BaFin came into effect with its publication on the BaFin website. However within a period of six months BaFin will refrain from imposing supervisory sanctions. The circular covers substantial security aspects in retail payment transactions, especially governance and risk management and also supervision, examination and documentation of internet payment transactions. Its purpose is also to protect data and the customers themselves. The circular introduces strong customer authentication requirements, the protection of sensitive payment data and the improvement of customer protection.

Strong authentication of the customer

The need for strong authentication of the customer is satisfied if the customer uses at least two criteria out of the following three categories:

  • something, which only the customer knows (e. g. password, PIN)
  • something, the customer possesses (e.g. smartcard, device) or
  • something, which the customer is (biometric feature).

Two of these features are mutually independent and it must not be possible for at least one feature to be replicated, re-used or stolen via the internet.

Sensitive payment data must be subject to enhanced protection during storage, processing and transfer. Sensitive payment data means all data that can be used to identify and/or authenticate a customer, in particular for login and for the execution, amendment or deletion of e-mandates. The customer-web-interface must also be protected adequately against theft, unauthorized access and modification.

Improvement of customer protection

The circular stipulates certain provisions for the improvement of customer protection, such as customer training and communication requirements, the setting of limits and customer access to information regarding the status of the payment transactions.

Further provisions

The circular stipulates that security incidents have to be notified to BaFin and, where required, to the national law enforcement authority as well as to the data protection officer. It should be assumed that security incidents are critical when the availability, integrity, privacy and authenticity of IT-systems, application or data with high protection requirements are injured or affected.


The relatively short implementation period of six months means that institutions have little time to familiarise themselves with the new requirements and adapt their processes. Payment institutions should bear in mind that under PSD 2, whose adoption is expected shortly, they may face further changes and additional regulatory requirements.