The mission of the Secure Payments Task Force was to provide a forum for stakeholders to advise the Federal Reserve in its leader/catalyst and operator roles on payment security matters, and identify and promote actions that can be taken by payment system participants collectively or by the Federal Reserve System. The Secure Payments Task Force established work groups, including the Data Protection Work Group, to advance its efforts. The work group members, operating from mid-2016 through the conclusion of the task force in 2018, identified their respective views on payment security challenges, industry desired outcomes and solutions as outlined below.
The number and scope of payments system participants involved in the development of data protection guidelines and standards is limited and there is a lack of practical, understandable, relevant information that allows industry participants to have actionable plans to protect payment data wherever it is gathered, transmitted and stored.
These challenges result in a lack of alignment on how data protection rules are established and who has governance of them leading to requirements and guidelines that may not meet the needs of or address the threats faced by all payment participants. In addition, not all payment system participants understand what is required to protect payment data and may not fully understand the gravity and impact of payment data compromises. A certain level of guidance and standards are available, but not everyone has the resources or knowledge to leverage this information.
A stakeholder-developed and industry adopted framework for protecting sensitive payment data at rest and in transit that leads to a common understanding among payment industry participants on how to identify and appropriately protect sensitive payment data and manage risk throughout the end-to-end payments process.
The following outlines the phases of the group’s work.
Phase 1—Conduct an analysis and publish a list of existing standards and requirements that address payment data protection, and education and awareness for industry participants to foster awareness of best practices for protecting payment data
Phase 2—Document and publish an inventory of sensitive payment data, the risk associated with the data, existing data protection principles and standards for the payments industry, a list of gaps in current industry data protection standards/requirements, and recommendations for improvement to the relevant industry standards bodies
Phase 3—Document and publish a stakeholder-developed and industry-adopted data protection framework that addresses the confidentiality, integrity and availability of payment data and identifies standards for appropriately managing the risk of the data by payment industry participants throughout the end-to-end payments process. The framework will include a set of baseline security measures for protecting payment data by participant across the end-to-end payment transaction processes (e.g. data and system security requirements, domain specific credentials, multi-factor authentication) and devaluing payment data wherever possible.