Payment service providers (PSPs) have been issued with guidelines to follow in the event of a security breach in a new consultation paper issued by the European Banking Authority (EBA) working with the European Central Bank (ECB)
Suggested mandates include notifying authorities of an incident within two hours from the moment the breach is detected, compared to the General Data Protection Regulation (GDPR) requirement of notice within 72 hours of breach detection.
The proposed two-hour notification, which would be the first in a series of required reports, is part of a standardised template which the regulators say will help manage information throughout the investigation of a security breach. Initial reports are not expected to provide detailed information, but serve as an overview of what occurred and the impact it might have had. While the two-hour window sounds draconian, “only a “high-level notification” is required immediately, said Robert Bond, a data protection expert and partner at Charles Russell Speechlys talking to US press.
According to the consultation paper, “These draft guidelines set out the criteria, thresholds and methodology to be used by payment service providers in order to determine whether an operational or security incident should be considered major and, therefore, be notified to the competent authority in the home member state.”
There will be a public hearing on the consultation at the EBA on 9 February, 2017 and comments on the consultation should be sent 7 March 2017.