Cybersecurity of payment services – letter of KNF Chairman

On February 15^th, 2021, the Chairman of the Polish Financial Supervision Authority (KNF), in a letter addressed to payment service providers, including banks, credit unions, and domestic payment institutions, indicated typical cybersecurity gaps in electronic access channels to payment services. The letter also contains specific supervisory guidelines for addressing these gaps.

Main topics covered by the letter:

1. possibility to exclude strong customer authentication (SCA) for low-value transactions [art. 16 Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication] shall always be optional, whereas the customer’s consent for disabling SCA shall always be explicit and informed,
2. including active hyperlinks in e-mail or text messages (SMS) shall be no longer used and replaced with providing information through mobile apps and e-banking platforms (web services),
3. attachments to e-mail messages shall be secured with secure passwords, whereas the passwords shall not be created using the personal data of clients and should be provided to the customer in a separate communication channel.

Even though the KNF Chairman’s guidelines are not binding and are not an official interpretation of the law, they will surely be respected by KNF and required from market participants.