69
ECB
Guide for the assessment of direct debit schemes against the oversight standards
November 2014
69
2 OVERSIGHT
ASSESSmEnT
QuESTIOnS FOR
DIRECT DEBIT
SCHEmES AnD
OVERSIGHT
GuIDELInES
Term Definition
Sensitive payment data Sensitive payment data are defined as data which could be used to carry out fraud. These include
data enabling a payment order to be initiated, data used for authentication, data used for ordering
payment instruments or authentication tools to be sent to customers, as well as data, parameters
and software which, if modified, may affect the legitimate party’s ability to verify payment
transactions, authorise electronic mandates or control the account, such as “black” and “white”
lists, customer-defined limits, etc.
An indicative list of elements that could, depending on the circumstances under which the data
are used, be considered as sensitive payment data is provided below. The overseen entity should
provide the overseer with a list of elements it considers as sensitive payment data; based on this,
the overseer/supervisor will decide on a case-by-case basis taking into account the respective
business models.
a) The set of data enabling a payment order to be initiated, e.g.:
- payment account identifiers of the customer stored at the PSP: IBAN (or equivalent).
The BIC should not be considered as sensitive data;
- payment card data: PAN, expiry date, CVx2;
b) Data used for authentication (when applicable and used in this context), e.g.:
- customer identifiers (e.g. client number/log-in name);
- passwords, codes, PIN, secret questions, reset passwords/codes;
- phone number (mobile or landline, when applicable)
- certificates;
c) Data used for ordering payment instruments or authentication tools to be sent to customers
(in the case of a PSP offering this functionality online, otherwise these data are not considered
as sensitive), e.g.:
- client’s postal address, phone number or e-mail address;
d) Data, parameters and software stored in the PSP’s systems, which, if modified, may undermine
the security of the delivery of payment instruments or authentication tools to the customer or
may affect the latter’s ability to verify payment transactions, authorise e-mandates or control
the account, e.g.:
- “black” and “white” lists, customer-defined limits, etc.;
- data outlined in (a), (b) and (c) depending on applicability and methods used.
Service providers Service providers encompass PSPs, technical service providers offering technical services within
the scheme (e.g. communications network service, IT service), the clearing provider and the
settlement provider.
Settlement agent (settlement
institution, settlement bank)
The institution across whose books transfers between participants take place in order to achieve
settlement within a settlement system (e.g. national central banks in the case of TARGET2).
Settlement arrangement A settlement arrangement consists of a settlement system or standardised arrangements, as well as
any contracts between direct debit scheme actors regarding the settlement of direct debit transactions.
A settlement system is a system used to facilitate the transfer of funds, assets or financial instruments.
Settlement provider
(settling participant, settlement
bank, settling member)
An institution which maintains one or more accounts with a settlement agent in order to settle
funds on its own behalf or, potentially, for other market participants (i.e. PSPs).
Strong customer authentication Strong customer authentication is a procedure based on the use of two or more of the following
elements – categorised as knowledge, ownership and inherence: (i) something only the user
knows, e.g. static password, code, personal identification number; (ii) something only the user
possesses, e.g. token, smart card, mobile phone; and (iii) something the user is, e.g. biometric
characteristic, such as a fingerprint. In addition, the elements selected must be mutually
independent, i.e. the breach of one does not compromise the other(s). At least one of the elements
should be non-reusable and non-replicable (except for inherence), and not capable of being
surreptitiously stolen via the internet. The strong authentication procedure should be designed in
such a way as to protect the confidentiality of the authentication data.
Technical service providers Providers that offer technical services within the scheme, such as the communications network
service, IT service or other technical services.
Transaction phase The transaction phase is the whole process of the execution of a direct debit, starting from the
collection initiated by the payee up to its finality (the normal execution, or the reject, return or
refund of the collection). It is the end-to-end execution of a direct debit payment.
Transaction risk analysis Evaluation of the risk related to a specific transaction taking into account criteria such as
customer payment patterns (behaviour), the value of the related transaction, the type of product
and the payee profile.
Wallet solutions Solutions that allow a customer to register data relating to one or more payment instruments
in order to make payments with several e-merchants.