Supporting PSD2 Compliance with ISO Certification

The second Payment Services Directive (PSD2) affecting Payment Service Providers came in to force for EU member sates in January 2018, and from mid 2019 the associated Regulatory Technical Standards (RTS) on “Strong Customer Authentication and common and secure communication”.

The directive also provides a set of Guidelines on the “security measures for operational and security risks of payment services” which organisations need to meet.

While there are many approaches to compliance, several key areas of the guidance can be met by implementing, or utilising an existing, ISO Management System. This will provide a structured approach to PSD2 compliance, and may achieve efficiencies in your existing processes and controls.

ISO 9001 for PSD2 Compliance

There are many areas of PSD2 which require your organisation to have a good understanding of it’s business processes.

Process mapping your activities as part of an ISO 9001 Quality Management Standard provides a strong foundation for PSD2 and other ISO Standards which can be built around the same framework.

Guideline 3 for Risk Assessment explicitly asks for an inventory of business functions:

  • 3.1  PSPs should identify, establish and regularly update an inventory of their business functions, key roles and supporting processes in order to map the importance of each function, role and the supporting processes, and their interdependencies related to operational and security risks.

So if you haven’t already documented business activities and assigned roles and responsibilities, this is a good place to start.

ISO 31000 for Risk Management

Guideline 2 focuses on Governance and in particular, establishing an “effective operational and security risk management framework”.

Recently updated ISO 31000 provides principles, framework and a process for managing risk.  While there are many risk methodologies available, the common clause structure of Annex SL, have embedded ISO 31000 through all modern management system standards, as it has also embedded Leadership as a core principle.  Both can be applied to support PSD2 compliance.

ISO 27001 for PSD2 Compliance

The EBA Guidelines “stay silent” on the matter of Certification, and do not mandate it.  However, of the 93 Controls within ISO 27001:2022 there are obvious parallels.

Guideline 4 Protection can utilise, among others, the following areas of ISO 27001:

  • Access Control
  • Cryptographic Controls
  • Physical Security
  • Technical Controls
  • System Acquisition, Development & Maintenance
  • Compliance

While Guideline 5, Detection, can be supported by:

  • Clause 6 Monitoring, Measurement, including Internal Audit.
  • Access Control
  • Technical Controls
  • Incident Management

ISO 22301 for PSD2 Compliance

Guideline 6 provides some clear direction on business continuity management, which can incorporated in to a ISO 22301 Business Continuity Management System.

Key points from the EBA guidance to note:

  • There is a strong focus on scenario based planning, including “Extreme but plausible ones”.
  • A annual test is mandated, where ISO 22301 is more vague.
  • The scope of the test should include “critical functions, processes, systems, transactions and interdependencies”.
  • Documentation updates should also be at least annual, driven from test results, risks and improvements.

While ISO 22301 is a relatively new standard, many financial organisations are implementing a Business Continuity Management System to fit with their existing governance framework, and provide stakeholder assurance.

Summary

There have been several other changes to the legislative landscape for the financial industry including Open Banking and the Fourth Money Laundering Directive (Money Laundering Regulations 2017).

ISO Certification is not the end of the story

While this blog discusses how ISO can support PSD2 requirements, achieving ISO Certification alone does not guarantee compliance.  ISO provides a minimum set of requirements that can be implemented in many different ways.  The specific requirements of PSD2 related to your organisation need to be mapped in to your management system framework to ensure it effectively meets your objectives.

Contact us to find our how we can help you with ISO Management Systems and PSD2 Compliance.


Robert Clements
Robert Clements
Articles: 301