Financial Institutions Rule FIR/04 2015 – Security of Internet Payments of Credit, Payment, and Electronic Money Institutions

By Admin Admin With With 0 Comments

The MFSA is empowered by the Financial Institutions Act to make Financial Institutions Rules.

In August 2015, the MFSA issued a new rule on the Security of Internet Payments of Credit, Payment, and Electronic Money Institutions (the “Rule”). This rule adopts the provisions of the Guidelines on the Security of Internet Payments, that was issued by the European Banking Authority (“EBA”) on December 19th, 2014. The EBA Guidelines establish a set of minimum requirements in the field of internet payments security, and continue to build on the rules of the Payment Services Directive.

This Rule does not apply to:

  1. Internet payment services other than the following, irrespective of the access device used:
  • the execution of card payments on the internet, including virtual card payments, as well as the registration of card payment data for use in “wallet solutions”;
  • the execution of credit transfers on the internet;
  • the issuance and amendment of direct debit electronic mandate; and
  • transfer of electronic money between two e-money accounts via the internet.

2. Payments where the introduction is given by post, telephone order, voicemail or using SMS-based technology;

3. Mobile payments other than browser-based payments;

4. Credit transfers where a third party accesses the customer’s payment account;

5. Payment transactions made by an enterprise via dedicated networks;

6. Card payments using anonymous and non-rechargeable physical or virtual prepaid cards where there is no ongoing relationship between the issuer and the cardholder; and

7. Clearing and settlement of payment transactions.

General Control and Security Environment


Payment Service Providers (“PSPs”) are to implement and regularly review a formal security policy for internet payment services. The policy shall define security objectives and the risk appetite, as well as set roles and responsibilities, including the risk management function.

Risk Assessment

PSPs must carry out thorough risk assessments prior to establishing the service and regularly after, at least on a yearly basis. PSPs should consider the risks associated with the chosen technology platforms, application architecture, programming techniques and routines on their side as well as on the customer’s side.


PSPs are required to have processes in place to ensure that transactions can be traced. This includes security mechanisms that will keep detailed logs of transaction and e-mandate data, including the transaction sequential number, timestamps for transaction data. Log files should be kept to document, and be able to trace, any addition, change or deletion of the abovementioned data.

Specific Control and Security Measures for Internet Payments

PSPs must, before granting customers access to internet payment services, properly identify customers in compliance with the Prevention of Money Laundering and Funding of Terrorism Regulations; the Implementing Procedures issued by the Financial Intelligence Analysis Unit; and any anti-money laundering legislation in other relevant jurisdictions, as may be applicable. Additionally, a customer authentication procedure must be implemented in order to protect the initiation of internet payments, identify abnormal patterns in customer payments, prevent fraud, and protect access to sensitive payment data.

PSPs are also required, where necessary, to provide assistance to their customers for the safe use of the payment services. Customer awareness, education, and communication, are necessary to ensure the safe and efficient use of such services. The PSPs are to establish a secure channel between them and their customers, via which sensitive data such as emerging risks can be transmitted. It is necessary for the benefit of all the parties involved to maintain and control a safe environment. Thus, customer educational programs will help customers understand the need and benefits of security. At a minimum, customers need to know certain things, such as, protecting passwords, security tokens, confidential data, etc.

This rule was entered into force on August 7th, 2015.