EBA has published its final guidelines on security measures for operational and security risks of payment services required by PSD2. The guidelines require PSPs to have in place:
- an effective operational and security risk management framework
- processes to detect, prevent and monitor potential security breaches and threats
- risk assessment procedures
- regular testing
- processes to raise awareness to payment services users on security risks and risk-mitigating actions
Since the consultation draft of the guidelines, EBA has clarified the meaning of proportionality and explain why certification processes of security measures are not included.