The Circular transposes the European Banking Authority (EBA)’s Guidelines on the security of internet payments into the administrative practice of BaFin. The legal basis for the transposition is section 7b (1) of the German Banking Act (Kreditwesengesetz – KWG).

From the beginning, the draft of the MaSI followed the text of the EBA Guidelines very closely. Nevertheless, during the course of the consultation (see BaFinJournal of March 2015), a wish was frequently expressed that national peculiarities should be ignored. For that reason the text of the German translation of the EBA Guidelines was published in the Circular instead.

The MaSI are addressed to payment services providers (PSPs) within the meaning of the Payment Services Supervision Act (Zahlungsdiensteaufsichtsgesetz – ZAG). PSPs also have to comply with the provisions of the Circular even if a third party performs the payment function on their behalf (section 25b of the KWG and section 20 of the ZAG). This article explains the background to the Circular and is intended to make it easier for payment services providers to implement it.

Payment services providers

According to section 1 (1) of the Payment Services Supervision Act (ZAG) payment services providers are

1. credit institutions within the meaning of Article 4(1) of the European Capital Requirements Regulation (CRR)which are entitled to do business in Germany;
2. electronic money institutions within the meaning of Article 1(1b) and Article 2 no 1 of the E-Money Directive;
3. the Federation, the Länder, local authorities and local authority associations and indirect federal and Länder administrative bodies, unless they exercise sovereign power;
4. the European Central Bank, the Deutsche Bundesbank and other central banks in the European Union or other countries of the European Economic Area if they are not acting in their capacity as monetary authority or other public authority; and
5. enterprises that provide payment services either commercially or on a scale that requires a commercially equipped business operation without falling under numbers (1) to (4) (payment institutions).

Relationship with the MaRisk

The MaSI lay down minimum requirements for security measures to protect web-based payment systems and web-based online banking (internet payment systems). These requirements operate as special rules alongside the familiar Minimum Requirements for Banks’ Risk Management (Mindestanforderungen an das Risikomanagement von Banken – MaRisk). The Circular is applicable to direct debit electronic mandates only if a payment services provider is involved when the mandate is authorised. It can be assumed that PSPs that rigorously implement the MaRisk already satisfy many of the requirements of the MaSI, so that for them the cost of implementation will be manageable.

Some institutions offer similar services that do not fall within the scope of the MaSI, e.g. mobile payments other than browser-based payments, online brokerage or online contracts as well as telephone banking. Such institutions must nevertheless apply the MaRisk’s risk and principles-based approach and consider the appropriateness of how they deal with the risks that the MaSI address when providing these services.

The MaSI do not apply to “third-party payment services providers”. Third-party payment services providers include payment initiation services which users can use to initiate internet payments directly online and, secondly, account information services which users can use to download information on accounts that they hold with various banks and payment institutions. Neither does the Circular say anything about the relationship between third-party PSPs and account-managing PSPs. But if account-managing PSPs enter into agreements with third-party PSPs, in these cases, too, the institutions also have to comply with the supervisory requirements relating to the general business organisation (in particular Parts AT 7.2 and AT 9 of the MaRisk).

Recommendations of the European Central Bank

The European Central Bank (ECB) had published recommendations for the security of internet payment systems back in January 2013. They were drawn up by a joint working group of European central banks and banking supervisors, the European Forum on the Security of Retail Payments (SecuRe Pay Forum). The EBA adopted the recommendations almost word-for-word in the autumn of 2014 in its Guidelines on the security of internet payments.

The recommendations are based on four principles that also appear in the MaSI. Firstly, PSPs and payment systems shall regularly scrutinise the risks inherent in internet payment services and in so doing take due account of the latest internet security threats and fraud mechanisms. Secondly, the initiation of internet payments and access to sensitive payment data shall be protected by strong customer authentication; data are to be regarded as sensitive if they can be misused for the purpose of committing fraud. Thirdly, PSPs shall set up effective processes for authorising transactions and for monitoring transactions and systems in order to enable abnormal payment patterns to be identified and fraud to be combated effectively. Fourthly, PSPs and payment systems shall enhance the awareness of customers of the importance of secure and efficient use of internet payment services and educate them accordingly.

Structure and content of the MaSI

Compared to the MaRisk, the MaSI requirements are more detailed. Nevertheless they are principles-based: the MaSI set out objectives but do not specify how these are to be put into practice.

A new aspect is that the relationship between customer and PSP and between online merchant and PSP is explicitly taken into account. This is necessary because the actions of customers and the business activities of e merchants may impact on the security of internet payment systems.

The MaSI are divided into the following chapters: “Scope”, “Definitions”, “General control and security environment”, “Specific control and security measures for internet payments” and “Customer awareness, education and communication”.

General control and security environment

The chapter entitled “General control and security environment” contains the minimum requirements for governance and risk assessment. They are largely derived from the MaRisk. In the section entitled “Incident monitoring and reporting” the MaSI require PSPs to set up internal processes to monitor, handle and follow up on security incidents (incident management or security incident management). Through the reference to established data security standards these requirements are derived from Part AT 7.2 of the MaRisk. What is new is that under the MaSI PSPs must report such incidents to BaFin and work together with the law enforcement agencies.

The section entitled “Risk control and risk mitigation” provides a comprehensive exposition of technical security measures. Hence PSPs have to take “security measures in order to mitigate identified risks” in line with their respective security policies – a principle already established in Part AT 7.2 of the MaRisk.

What is new is the requirement to implement measures that incorporate multiple layers of security defences (‘defence in depth’). This concept has military origins. It means that security systems are to be designed in such a way that if attacks get one line of defence they can be caught by another.

In addition, PSPs have to ensure that the actual processing of all transactions is traceable. The MaSI explicitly mention log files as part of the documentation requirements. What is new is that it is not just documentation per se that is demanded, but also an evaluation of the documentation using appropriate tools.

Specific control and security measures for internet payments

Before being granted access to an internet payment system, customers should be properly identified for money laundering prevention purposes (section 4 of the Money Laundering Act (Geldwäschegesetz – GWG)). Because customers or their devices themselves are targets of cyber-criminal attacks, they must be taught how to use the internet payment system correctly and about security-related matters.

Two core components of specific control and security measures relate to the initiation of transactions. Firstly, strong customer authentication is called for; this is explained in the following section. Secondly, transactions themselves must be monitored.

Strong customer authentication

It is not only the initiation of payments that needs to be protected by strong authentication; so, too, does access to sensitive payment data. According to the definition in the Circular, strong customer authentication requires at least two elements from the following three categories:

1. knowledge – something only the customer knows (e.g. password, PIN)
2. ownership – something only the customer possesses (e.g. a ChipTAN card-reader)
3. inherence – something the customer is (e.g. a biometric characteristic, such as a retina, fingerprint) that is unique

The elements need to be chosen in such a way that the theft or breach of one of them does not compromise the others. Furthermore, at least one item must be chosen in such a way that it cannot easily be stolen via the internet. When being transmitted, the authentication data must be protected by encryption methods.

The MaSI stipulate certain instances in which PSPs may dispense with strong customer authentication: credit card transactions, payments to beneficiaries included in previously established white lists for the customer and low value payments within the meaning of the Payment Services Directive. Transactions may also be effected within a PSP without strong customer authentication if they are between accounts held by the same customer with the same PSP or if they are justified by a transaction risk analysis.

Implementation of strong customer authentication

In relative terms, many German PSPs already offer customer authentication procedures based on two independent factors whereby e.g. the PIN must be used in combination with TAN generators or mobile TANs. But some PSPs still have to implement strong two-factor authentication procedures. It should be borne in mind here that Payment Services Directive II may give rise to new requirements.

However, two-factor authentication on its own is not enough. It can only serve as one component among several others to combat cyber-attacks. Other risks that need to be taken into consideration are those arising from malware and man-in-the-middle attacks. The latter involve attackers trying to gain control of data communication between customer and merchant or between customer and third-party PSP, in order to be able to look at and manipulate the data as they wish.

Transaction monitoring

Before final authorisation of a transaction, it should be screened and evaluated to check whether there are any signs of possible fraud. This is comparable to the money laundering prevention requirements: pursuant to section 25g (2) of the KWG credit institutions must have IT-based monitoring systems that, in addition to money laundering and the financing of terrorism, also help to prevent other criminal acts. (Cf. Bafin Interpretation and Application Notes on sec. 25c of the KWG, only available in German.)

The MaSI provide instructions on the data that PSPs can use to forecast the probability of a fraudulent transaction. When implementing these, it should be borne in mind that these data themselves may need protecting since they are as a rule personal data, e.g. a customer’s IP address. For that reason the actual design of transaction monitoring should incorporate appropriate standards, in particular data protection law and Part AT 7.2 no. 2 of the MaRisk.

Customer awareness, education and communication

Many security measures can work properly only if customers themselves pay due care and attention. Phishing attacks and other variants of social engineering – i.e. influencing people with a view to getting them to disclose their data – are aimed directly at them. For cyber-criminals, such people’s devices, e.g. computers or tablets, are also obvious targets for man-in-the-middle attacks.

As early as the registration stage PSPs must therefore provide their customers with comprehensive and readily understandable information on using the internet payment system correctly and securely and on essential basic conditions. In addition, customers must be provided with information and teaching on security issues.

Since their devices may be attacked, customers should be provided with at least one secure alternative communication channel. This may include e.g. branches or written correspondence.

Requirements for PSPs of e merchants

Various parts of the MaSI include special requirements for the PSPs of e merchants, i.e. settlement PSPs, merchant banks or acquirers. Indirectly, the requirements also concern the merchants themselves and are to be implemented by the PSPs contractually.

E merchants that store, process or transmit sensitive payment data that they come into contact with shall therefore be obliged to take certain security measures. They must be further obliged to cooperate with the settlement PSPs and the law enforcement agencies in the event of major payment security incidents. Furthermore, when payments are being initiated, PSPs and merchants must authenticate one another.

In addition to the foregoing, for internet payments by credit card e-merchants shall be obliged to use technologies that enable the issuer to undertake strong authentication of the cardholder. Alternative authentication measures may be considered for previously identified low-risk transactions or for low-value payments. The e-merchant’s website is to be made suitably secure against theft and unauthorised access or changes. Furthermore, for the benefit of the customer e merchants must clearly separate payment-related processes from the online shop.

If e merchants fail to meet the terms of their contracts, the PSPs must remind them of their duty to comply with them and if necessary impose sanctions up to and including termination of the contracts. PSPs must monitor the activities of the merchants in order to prevent fraud.

Audits

The ECB has published on its website an Assessment Guide for the Security of Internet Payments, which was compiled by the SecuRe Pay Forum. Internal Audit departments and banks’ external auditors may use this guide as a tool.

However, the Guide does not represent an interpretation of the MaSI by BaFin, nor does it replace auditors’ own deliberations. The Circular remains the authentic and legally binding text. In cases of doubt BaFin will therefore always decide on the basis of this text.

Outlook: Payment Services Directive II

Payment Services Directive II will bring many changes and innovations in internet payments for PSPs, e merchants, customers and other market participants. It can be expected that the EBA will issue new guidelines on the basis of PSD II, especially on detailed issues of customer authentication and reporting.

The MaSI are therefore transitional in nature. However, BaFin still expects PSPs to prepare for the world of PSD II in good time by rigorously implementing the MaSI. This also includes anticipating the requirements of PSD II in new projects at an early stage. Changes that may arise up to the time PSD II is adopted or while EBA guidelines are being drawn up are to be treated as project risks.

The MaSI reflect the important recognition of the fact that one security measure on its own will not fit the bill. For internet payments to be secure, comprehensive security measures must be coordinated, constantly reviewed and added to and updated over the course of time.

In order to ensure that risk management and collective consumer protection in internet payments are effective, PSPs must incorporate customers and e merchants in their measures. In addition, they also have a responsibility to exceed the minimum requirements of the Circular if necessary.