The mission of the Secure Payments Task Force is to provide a forum for stakeholders to advise the Federal Reserve in its leader/catalyst and operator roles on payment security matters, and identify and promote actions that can be taken by payment system participants collectively or by the Federal Reserve System. The Secure Payments Task Force established work groups, including the Data Protection, in an endeavor to advance its efforts. The work group identified their respective views on payment security challenges, industry desired outcomes and solutions as outlined below.
The number and scope of payments system participants involved in the development of data protection guidelines and standards is limited and there is a lack of practical, understandable, relevant information that allows industry participants to have actionable plans to protect payment data wherever it is gathered, transmitted and stored.
These challenges result in a lack of alignment on how data protection rules are established and who has governance of them leading to requirements and guidelines that may not meet the needs of or address the threats faced by all payment participants. In addition, not all payment system participants understand what is required to protect payment data and may not fully understand the gravity and impact of payment data compromises. A certain level of guidance and standards are available, but not everyone has the resources or knowledge to leverage this information.
A stakeholder-developed and industry adopted framework for protecting sensitive payment data at rest and in transit that leads to a common understanding among payment industry participants on how to identify and appropriately protect sensitive payment data and manage risk throughout the end-to-end payments process.
The following outlines the phased solution set the work group is planning to execute to achieve the desired outcome.
Phase 1—Conduct an analysis and Publish a list of existing standards and requirements that address payment data protection, and education and awareness for industry participants on best practices for protecting payment data
Phase 2—Document and publish an inventory of sensitive payment data, the risk associated with the data and existing data protection principles and standards for the payments industry and a list of gaps in current industry data protection standards/requirements and recommendations for improvement to the relevant industry standards bodies
Phase 3—Document and publish a stakeholder-developed and industry adopted data protection framework that addresses the confidentiality, integrity and availability of payment data and identifies standards for appropriately managing the risk of the data by payment industry participant throughout the end-to-end payments process. The framework will include a set of baseline security for protecting payment data by participant across the end to end payment transaction processes (e.g. data and system security requirements, domain specific credentials, multi-factor authentication) and devaluing payment data wherever possible.