6.7 Complying with Payment Services Regulations

An information security standard for organisations that handle credit cards from the major card schemes. All program managers who handle customer card data must be compliant with this standard and compliance must be validated annually.

Applicable to any payment applications you develop or use which store, process or transmit cardholder data and/or sensitive authentication data as part of authorisation and settlement.

This European Union (EU) Directive from the European Central Bank (ECB) introduced some important new rules relating to open banking to enhance the security of card payments by requiring additional levels of cardholder authentication during a payment transaction (a process called Strong Customer Authentication or SCA). The rules came into force in 2021 and have been widely adopted across Europe and the UK.

Other regions are introducing similar legislation to support open banking and reduce card-not-present (CNP) fraud, such as the Consumer Data Right (CDR) in Australia, Open Banking initiatives in Singapore, The Open Banking Framework in Bahrain and the Japanese Banking Act.

EU regulation covering data privacy and security of user data, designed to ensure that customer data is only collected, stored and processed for legitimate business purposes, with the consent of the customer. 

Other regions may also have similar data protection legislation, such as the Personal Data Protection Act (PDPA) in Singapore, the Privacy Act 1988 and Information Privacy Act 2014 in Australia and the Federal Law on the Protection of Personal Data in the United Arab Emirates (UAE) and the Act on the Protection of Personal Information (APPI) in Japan.

Your organisation should be compliant with GDPR regulations in your region.

AML requirements vary, depending on the region in which you are located.