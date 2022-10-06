HKMA sets out supervisory expectations on payment card security in light of increase in data breach incidents The HKMA has issued a circular to inform authorised institutions (AIs) of its supervisory expectations on payment card security. In light of the growing number of data breaches involving payment cards, the HKMA has provided additional guidance to the system operators and settlement institutions of retail payment systems designated under the Payment Systems and Stored Value Facilities Ordinance (card scheme operators – CSOs). Under the guidance, relevant CSOs are required to implement a robust data security framework covering their participants and third-party service agents, to minimise the risk of data breaches and reduce the resulting damage when such breaches occur. CSOs are expected to incorporate the requirements of the additional guidance into their rules and procedures. The updated rules and procedures should require the scheme participants (including AIs operating as card issuers or merchant acquirers) to: apply specified baseline technical and operational standards designed to protect payment data and payment card credentials within their operations;

subject the third party service agents used by them to specified data security standards as promulgated by the CSOs, and periodically monitor and validate their compliance with the specified standards; and

report actual or suspected data breaches and cyberattacks in a timely manner to CSOs, the HKMA and other relevant regulators. The HKMA expects AIs that are participants in payment card networks to take active steps to comply with the updated rules and standards of the CSOs. The key areas deserving management attention include conducing proper due diligence on service agents before engagement, undertaking ongoing monitoring and reporting incidents promptly and supporting card scheme operators in performing their roles. The HKMA will consider undertaking a round of thematic examinations to ensure compliance with the supervisory expectations by AIs, and will continue to work with the banking sector and CSOs to explore ways to further strengthen payment card security, such as tokenisation of payment card data. [23 Sep 2022]

