The Security of Retail Payments (SecuRe Pay) working group was established in the spring of 2011 by EU central banks and national supervisory authorities. Other members of the group are the European Central Bank (ECB) and the European Banking Authority (EBA). The European Commission, Europol and the central banks and national supervisory authorities of Norway, Liechtenstein and Iceland have observer status.
In January 2013, SecuRe Pay published a set of recommendations for increasing the security of online payments. The recommendations are aimed at payment service providers as defined in the Payment Services Directive. The deadline for implementing these recommendations is 1 February 2015.
SecuRe Pay has also prepared recommendations regarding third-party access to payment accounts. These recommendations are aimed at third parties offering payment services via bank accounts. If a service provider is an account controller and offers its own customers services, it is not a third party in the sense that it is comprised by the recommendations regarding third-party access to payment accounts. Instead, the account controller is comprised by the recommendations on secure online payments. Third parties might offer e.g. payment initiation services or account information services. The recommendations are made public, but implementation of these recommendations would neither be expected nor enforced by the authorities. The recommendations are addressed to the EBA for their drafting of guidelines on security measures, cf. the role of EBA in the revised draft of the Payment Services Directive. SecuRe Pay has published a note on security of payment account access service.
SecuRe Pay has also prepared draft recommendations or secure mobile payments. The draft recommendations comprise all payments initiated by a consumer using a mobile phone, except for cases where the consumer uses the mobile phone to gain access to a web browser and hence the Internet. In the latter case, the recommendations on secure online payments apply. In practice, the recommendations cover three payment categories: contactless payments (e.g. using NFC technology), payments using mobile phone applications (apps) downloaded by the consumer to the mobile phone, and payments via a telecom operator's network (using text messages, USSD or voice technology) without any specific application having been installed (referred to as text payments). The draft recommendations regarding secure mobile payments were subject to public consultation until 31 January 2014.