The circular of BaFin came into effect with its publication on the BaFin website. However within a period of six months BaFin will refrain from imposing supervisory sanctions. The circular covers substantial security aspects in retail payment transactions, especially governance and risk management and also supervision, examination and documentation of internet payment transactions. Its purpose is also to protect data and the customers themselves. The circular introduces strong customer authentication requirements, the protection of sensitive payment data and the improvement of customer protection.
Strong authentication of the customer
The need for strong authentication of the customer is satisfied if the customer uses at least two criteria out of the following three categories:
- something, which only the customer knows (e. g. password, PIN)
- something, the customer possesses (e.g. smartcard, device) or
- something, which the customer is (biometric feature).
Two of these features are mutually independent and it must not be possible for at least one feature to be replicated, re-used or stolen via the internet.
Sensitive payment data must be subject to enhanced protection during storage, processing and transfer. Sensitive payment data means all data that can be used to identify and/or authenticate a customer, in particular for login and for the execution, amendment or deletion of e-mandates. The customer-web-interface must also be protected adequately against theft, unauthorized access and modification.
Improvement of customer protection
The circular stipulates certain provisions for the improvement of customer protection, such as customer training and communication requirements, the setting of limits and customer access to information regarding the status of the payment transactions.
Further provisions
The circular stipulates that security incidents have to be notified to BaFin and, where required, to the national law enforcement authority as well as to the data protection officer. It should be assumed that security incidents are critical when the availability, integrity, privacy and authenticity of IT-systems, application or data with high protection requirements are injured or affected.
Conclusion
The relatively short implementation period of six months means that institutions have little time to familiarise themselves with the new requirements and adapt their processes. Payment institutions should bear in mind that under PSD 2, whose adoption is expected shortly, they may face further changes and additional regulatory requirements.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.