ECB: Guide for the assessment of card payment schemes against the oversight standards

25 February 2015

This assessment guide is intended both for the CPSs’ governance authorities responsible for ensuring compliance, and for the overseers conducting the oversight of both national and international CPSs based on the Eurosystem oversight standards for CPSs.

The Eurosystem has developed oversight standards for card payment schemes (CPSs), with a particular focus on the security and efficiency of card payments. This assessment guide supports a comprehensive and efficient assessment against The “Oversight framework for card payment schemes – standards”.

This assessment guide has been updated with the incorporation of the “Recommendations for the security of internet payments” that were approved by the Governing Council in January 2013, as well as the “Assessment guide for the security of internet payments” of February 2014. Certain requirements coming from these two documents may be directly addressed to payment service providers (PSPs).

As explained in the “Harmonised oversight approach and oversight standards for payment instruments”, the Eurosystem intends to avoid overlaps and duplication of work between the oversight standards for payment instruments and other oversight activities or activities carried out by supervisory bodies. Accordingly, overseers may consider relevant assessments or activities of supervisory bodies when conducting their assessment of those specific requirements.

The assessment guide outlines the general requirements that overseen CPSs should follow in order to provide the general business and statistical information needed, and to respond properly to all assessment questions (AQs), following the specific oversight guidelines on what should be expected by the overseers for each AQ. In principle, the CPSs are expected to answer each of the AQs with a “Y” or “N”, providing sufficient justification and evidence, and attaching supporting background information and documents.

This assessment guide enables the overseers of national and international schemes to be transparent towards the market concerning the oversight assessment process and should also help to avoid disagreements and misinterpretations across countries. As a result, this assessment guide provides the overseer with reasonable assurance that the AQs were answered appropriately. Finally, it should be used as a guide for determining the CPSs’ level of observance for each of the oversight standards and will serve as the broad layout for the final oversight report.

The Eurosystem addresses its oversight standards to the governance authority of the CPS. The concept of “governance authority” with regard to CPSs relates more to specific functions than to an individual entity. It is possible that the functions are assumed by different entities at different levels. Each entity is responsible for the function(s) it performs within the scheme and is the addressee of the oversight standards in this respect. If there is more than one entity for a given scheme, they are jointly accountable for the overall functioning of the CPS, for promoting the payment instrument, for ensuring compliance with the scheme’s rules and for setting clearly defined, transparent, complete and documented boundaries for their responsibilities within this scheme.

These entities must then jointly ensure that all relevant standards of the oversight framework are met. Oversight activities will be conducted taking into account the division of responsibilities. The assessment guide uses the wording “the GA requires service providers and/or PSPs to” when a topic is addressing the general functioning of a payment instrument and has the potential to significantly impact a scheme. Nevertheless, all measures taken and all activities carried out within the scheme should be in line with the security policies defined by the actor(s) performing governance functions. The Eurosystem focuses its approach to the oversight of payment instruments on issues of scheme-wide importance that are under the control of the governance authority of the scheme providing the payment instrument.

Section 1 outlines the reporting methodology to be applied, the general information to be provided by each CPS, the statistical information to be reported and the requirements for incident reporting.

Section 2 lists the assessment questions, which focus exclusively on gathering specific information that the Eurosystem considers indispensable for a reliable assessment of a CPS. Although the AQs are very detailed, they should not be considered prescriptive as regards the organisation of the card payment business. Indeed, the Eurosystem is aware that different options could be equally satisfactory in terms of reaching an acceptable level of resilience for each CPS oversight standard. This will be taken into account throughout the assessment process.

The assessment questions are complemented by a check-list providing further guidance on how to ensure that a question is answered in sufficient detail and interpreted in a consistent way. The items in these check-lists describe generic situations which may not be of relevance for a specific scheme. It must be noted that a limited number of these items refer to best practices outlined in the “Recommendations for the security of internet payments”. Compliance with such check-list items is not mandatory and will not be scored during the assessment process. The GA is nevertheless encouraged to indicate its compliance with them.

Full guidelines


© ECB - European Central Bank