March 15, 2016
General control and security environment of the platform supporting the Internet payment service
One of the most important parts of risk mitigation is the ability to understand the risks and build an adequate response system. It is commonly believed that risks with payments are mostly external. However, a proper security system would be able to assess internal risks as well and be ready for response. Payments service providers should be able to evaluate the adequacy of their internal security controls against both internal and external risk scenarios.
- Legislation compliance
The financial services industry faces some of the harshest regulatory environments globally, which means that payments service providers need to make sure they comply with local requirements and are up to date with new legislations in their field.
- Risk assessment
Payment service providers need to have thoroughly documented risk assessment procedures and requirements, which will be applied when necessary. Prior to rolling out the service to the customers, the organization needs to make sure that it has a detailed risk assessment of the service and actions to be taken in unforeseeable situations.
- Incident monitoring and reporting
It is not only important to know what to do in case of a security breach, but also to be able to constantly monitor and create a dashboard of a security system condition at any moment of time. Real-time threat assessment and detection can play a vital role in mitigating the negative consequences of incidents.
- Multilayer risk mitigation
The security systems of payments service providers should be able to catch a threat at multiple levels in case some of the levels fail to indicate it. Multilayered security systems are helpful in case the threat wasn’t caught by the first line of defense.
Payments service providers need to be in full control of transactional activity in terms of traceability. It means ensuring that each processed transaction can be appropriately traced and assessed if necessary.
Specific control and security measures for Internet payments
The next set of recommendations is related to the steps of payment transaction processing, from access to the service (customer information, enrolment, authentication solutions) to payment initiation, monitoring and authorization, as well as the protection of sensitive payment data.
- Initial customer identification
Secure onboarding is required for each customer. Payment service providers and their customers need to act in line with the European anti-money laundering legislation. Each customer is required to confirm his/her willingness to make Internet payments using the services before being granted access to such services. At each step of interaction in order to ensure familiarity and compliance with the requirements for performing secure payments.
- Strong authentication process
Multilayer authentication should protect the sensitive data prior to providing access to payment services.
- Login attempts, session timeouts, validity of authentication
Payment service providers need to regulate the number of login attempts and define the timeout. In addition, the identity verification time needs to appropriately be limited to the information requested.
- Transaction monitoring
Service providers need to monitor transactions attentively and set a threshold to pay extra attention to high-value transactions to be able to catch fraudulent activity.
- Protection of sensitive data
Sensitive data needs to be protected when stored, processed or transmitted.
Customer awareness, education and communication
There are actions customers can take themselves to ensure the best service. The last set of recommendations is related to the things customers are expected to do in the event of an unsolicited request for personal credentials: how to ensure the safety of the used service and how to check the execution of transactions.
- Customer education and service
Payment service providers need to make sure they provide all necessary information to the customer and educate them about the service and how to use it. Moreover, customer service should be able to provide urgent assistance if necessary.
- Notifications, setting of limits
Payment service providers are recommended to be focused on the primary service but are encouraged to offer additional services related to the primary one such as alerts in the form of messages and emails.
- Customer access to information on the status of transaction
Transparency of transactions to the customer is very important. Payments companies should be able to provide necessary information on the status of transaction at any given moment of time.