Cybersecurity in the area of payments is a key element in protecting data and internal systems against the threat of cyberattacks. With the growing number of online transactions, the challenge becomes ensuring the security not only of IT systems but also of users’ personal and financial data. In this article, based on a webinar conducted by legal counsel Monika Macura on 21 October 2024, we discuss basic threats, regulations, and good practices in the area of cybersecurity for financial institutions. The full recording of the webinar “Cybersecurity in Payment Solutions” is available on YouTube.

The Most Significant Threats in the Area of Payments

Payment systems are exposed to various threats, the most common of which are:

• Malicious software (malware), including viruses, trojans, and ransomware, which encrypts data and demands ransom for decryption; ransomware attacks often use social engineering techniques, such as phishing or vishing;
• Phishing, in which cybercriminals impersonate employees of financial institutions to gain access to confidential data, such as passwords or payment card numbers;
• Social engineering, meaning manipulation of people to gain unauthorised access to protected information;
• DDoS attacks (Distributed Denial of Service), which overload servers, resulting in the loss of availability of services;
• Spoofing, involving impersonation of another entity, e.g., a payment service provider, to deceive the user and extort funds.

These threats may lead to serious financial losses, privacy breaches, and reputational damage to financial institutions.

Ransomware – Specific Features and Prevention

Ransomware is one of the most dangerous types of malicious software, operating by encrypting the victim’s data and demanding ransom for unlocking it. Such attacks often employ social engineering. Examples include phishing and vishing, improperly secured remote accesses, or spoofing (including caller ID spoofing).

In May 2024, the Polish Financial Supervision Authority (KNF) issued guidelines on protection against ransomware, which include the following stages:

• preparation – securing systems and training employees;
• identification and rapid detection of attempted attacks;
• containment and minimisation of the consequences of the attack through immediate actions;
• external communication and reporting;
• data recovery and restoration from backups;
• incident analysis and implementation of conclusions.

New Rules of Liability of the Payment Service Provider for Spoofing

These are defined in the Regulation on Payment Services in the Internal Market (Payment Service Regulation, PSR), which defines spoofing as impersonation by fraudsters of an employee of the payment service provider.

A payer – a victim of spoofing – will be entitled to receive a refund of the full amount of the unauthorised payment transaction from the payment service provider, provided that this fraud is reported to law enforcement authorities, except in situations where the payer has acted with “dishonest intent” or “gross negligence.”

EU Regulations on Cybersecurity – DORA

In the European Union, issues related to digital security in the financial sector are regulated, inter alia, by the so-called DORA Regulation (Digital Operational Resilience Act), which enters into force on 17 January 2025.

DORA, which alongside the MICA and DLT regulations forms part of the digital finance package, aims to:

• strengthen the digital resilience of financial institutions by introducing uniform rules on network and systems security;
• impose an obligation on entities to report major incidents related to information technology;
• ensure appropriate risk management concerning external ICT service providers;
• impose an obligation to conduct regular tests of digital operational resilience, including penetration tests.

The regulation covers various entities, from banks and payment institutions to crypto-asset service providers.

The DORA Regulation Also Provides, to Some Extent, for Differentiated, Simplified Rules, Applicable to Certain Entities:

• so-called simplified ICT risk management frameworks;
• simplified rules provided for in relation to certain requirements and obligations for microenterprises (a microenterprise is an entity that employs fewer than 10 people and whose annual turnover or annual balance sheet total does not exceed EUR 2 million).

Basic DORA Requirements

In order to effectively protect payment solutions against cyber threats, organisations should apply a number of good practices, including:

• ICT risk management;
• reporting of major ICT-related incidents to the competent authorities and voluntary notification of significant cyber threats;
• reporting to competent authorities of major operational incidents or major security incidents related to payments;
• testing of digital operational resilience;
• information sharing and analysis in connection with cyber threats and vulnerabilities in this area;
• measures to ensure proper risk management by external ICT service providers;
• requirements for contracts concluded between external ICT service providers and financial entities;
• rules on the introduction of oversight over key external ICT service providers providing services to financial entities;
• rules on cooperation between competent authorities and rules on supervision and enforcement by competent authorities with regard to all matters covered by the regulation.

Conclusions

In light of the dynamic development of digital technologies and the increasing number of cyber threats, financial institutions must continuously improve their risk management and security strategies. The introduction of a regulation such as DORA is a step towards enhancing the financial sector’s resilience to cyber threats. However, a key element of effective protection remains close cooperation between financial institutions, regulators, and technology providers.

Cybersecurity is not only about technology, but also about appropriate procedures and user and employee awareness, which together can effectively counteract threats.

The article is based on a webinar conducted on 21 October 2024 by attorney-at-law Monika Macura, on the topic of basic threats, regulations, and good practices in the field of cybersecurity for financial institutions. The full recording of the webinar “Cybersecurity in Payment Solutions” is available on the YouTube channel.