Cybersecurity requirements for payment services under the Payment Services Directive 2 (PSD2)

Cybersecurity requirements for payment services under the Payment Services Directive 2 (PSD2)

The Payment Services Directive 2 (PSD2) was adopted by the European Union in 2018 and represents a significant regulatory shift aimed at enhancing security, transparency, and competition within the payments sector.

Concurrently, the Directive (EU) 2018/843, commonly referred to as the 5th Anti-Money Laundering Directive (AMLD5), fortifies anti-money laundering (AML) requirements, thereby influencing how payment service providers (PSPs) manage cybersecurity risks. Together, these regulatory frameworks impose rigorous requirements on PSPs to safeguard sensitive payment data, ensure the integrity of electronic payments, and protect consumers.

This article delves into the cybersecurity obligations mandated by these directives, with a particular emphasis on the technical and operational measures that PSPs must adopt to comply with European regulations and mitigate risks associated with cyber threats.

1. PSD2 and the strengthened cybersecurity framework

PSD2 significantly impacts the operations of payment service providers by introducing a wide range of obligations aimed at enhancing the security of electronic payments and reducing fraud. A key element of PSD2 is, for instance, its emphasis on the security of payments through Article 98, which mandates PSPs to implement strong customer authentication (SCA) for electronic payments.

SCA is designed to reduce the risk of fraud by ensuring that payment transactions are verified through at least two of the following authentication elements: (i) something the customer knows (e.g., a password or PIN), (ii) something the customer has (e.g., a smartphone, hardware token), and (iii) something the customer is (e.g., biometric authentication). By mandating SCA for most electronic payments, PSD2 seeks to minimize the potential for unauthorized access and payment fraud. The regulation also outlines specific exceptions to this rule, such as low-value payments or subscriptions.

Additionally, PSD2 requires payment service providers to implement secure communication channels to share sensitive data between financial institutions, merchants, and users to protect them from interception and unauthorized access. Appropriate encryption is used, among other technical measures.

PSD2 encourages a risk-based approach to cybersecurity. PSPs are required to assess and mitigate risks associated with their payment systems, identifying potential vulnerabilities that could lead to data breaches or fraud. In practice, this means investing in continuous monitoring of transaction data, fraud detection systems, and regular risk assessments of payment infrastructures.

2. Cybersecurity risk management obligations under PSD2

Third-party providers (TPPs) and access to payment systems

With the advent of open banking under PSD2, third-party providers (TPPs) - including Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) - are granted access to payment accounts with customer consent. This increasing access to sensitive financial data consequently heightens the risk of cybersecurity threats.

As part of PSD2 compliance, PSPs must implement measures to ensure that third parties accessing customer data comply with stringent cybersecurity standards. PSPs must, therefore, assess the cybersecurity practices of third-party providers. PSPs must make sure third parties are subject to appropriate regulatory oversight and manage third-party access via secure APIs with strong access controls.

Incident reporting requirements

PSD2 mandates that payment service providers promptly report any security incidents that affect payment services, including fraud or data breaches, to the relevant national and European authorities. This includes any incidents that could impact the security of the payment system or customer data.

3. The role of the European Central Bank (ECB) and the European Banking Authority (EBA) Guidelines

The EBA Guidelines

The EBA plays a key role in providing technical standards and guidelines for cybersecurity under PSD2. In 2019, the EBA issued the Regulatory Technical Standards (RTS) that provide detailed guidance on SCA and common and secure communication standards. The RTS covers specific security measures for the authentication of payment transactions, secure communication protocols, and encryption to safeguard payment data.

The ECB’s cybersecurity initiatives

In addition to the EBA, the European Central Bank (ECB) has been actively involved in strengthening cybersecurity within the EU's payment systems. The ECB focuses on improving the security of critical payment infrastructure and developing standards that help prevent systemic risks. The TARGET2 payment system, for example, has implemented robust security measures to protect high-value transactions from cyber threats.

4. Anti-Money Laundering and Cybersecurity under Directive 2018/843 (AMLD5)

AML and cybersecurity synergy

Directive 2018/843, also known as the 5th Anti-Money Laundering Directive (AMLD5), introduces additional obligations for PSPs to combat money laundering (AML) and the financing of terrorism (CFT). While AMLD5 primarily focuses on customer due diligence (CDD) and suspicious activity reporting, it also strengthens the cybersecurity framework for PSPs by requiring enhanced monitoring and reporting of transactions that may involve criminal activities.

The synergies between AML and cybersecurity include implementing effective transaction monitoring systems to detect suspicious or fraudulent activities. PSPs are required to assess transaction patterns and flag activities that may indicate money laundering or fraud. Additionally, cybersecurity practices that protect the integrity of KYC processes are essential to ensuring that identity verification and data protection measures comply with AMLD5.

Cooperation with law enforcement

Both PSD2 and AMLD5 emphasize the importance of cooperation between financial institutions, regulators, and law enforcement agencies. PSPs must cooperate with authorities to prevent fraud, money laundering, and terrorist financing, which often involves cybersecurity measures to prevent data breaches and protect sensitive customer information.

As the digital payments landscape evolves, so do the threats to payment systems. The increasing use of mobile payments, contactless technology, and digital wallets creates new vectors for cybercriminals to exploit. To avoid these threats, PSPs must continuously adapt their cybersecurity strategies and infrastructure.

Artificial Intelligence (AI) and Machine Learning (ML) are increasingly being used to detect fraud, predict risks, and identify anomalies in payment transactions.

Blockchain and Distributed Ledger Technology (DLT) promise enhanced security for digital transactions by providing transparency and reducing the risk of fraud. PSPs should explore their potential for enhancing cybersecurity in payment systems.

Conclusion

The PSD2 and Directive 2018/843 have ushered in a new era of cybersecurity regulation for payment service providers. By setting stringent requirements for strong customer authentication, secure communication, and third-party risk management, these regulations aim to protect consumers, enhance trust, and reduce fraud in the European payments ecosystem. While compliance with these cybersecurity obligations presents challenges, it also offers an opportunity for PSPs to strengthen their infrastructure, improve their risk management practices, and ensure the security of digital payments in an increasingly interconnected world.