Published and draft legislation - Colombia

Update of minimum security requirements

Draft regulation

Colombia’s Financial Authority, the SFC, has published draft regulations to update the minimum security and quality procedures required when making transactions, and also to incorporate the terms “face-to-face sale”, “remote sale” and “payment gateway and payment processor administrators”.

These new instructions set the minimum-security requirements that credit establishments and low-value payment system administrators must meet when carrying out remote sales that are linked to merchants’ establishments or to payment gateways and payment processors.

On the subject of these new definitions, this draft regulation indicates that “face-to-face sale” is understood to be one in which the financial consumer and the supplier of goods and/or services are physically present during the commercial transaction. In this case, the transaction data are taken with a credit or debit card or by using the electronic device that hosts them.

The term “remote sale” is defined as one in which the financial consumer and the supplier of goods and/or services do not physically interact with one another during the commercial transaction.

Finally, “payment gateway and payment processor administrators” are defined as institutions that supply electronic trading application services to store, process and/or transmit the corresponding payment to online sales transactions during a remote sale.

The regulations lay down specific minimum-security requirements affecting: i) vulnerability analyses, ii) the communication system, and iii) authentication mechanisms.

All three types of sale have to be carried out by regulated institutions enabling execution of online orders to transfer funds, buy, sell or transfer security titles or issue insurance policies by remote access systems, the internet or mobile devices for customers.

Instant messaging or any other similar means of communication have been added to the list of permissible channels through which financial consumers can be sent confidential information.

The draft regulation indicates that when ATMs and credit-card terminals are used, one of the authentication mechanisms specified in the regulation must be employed, except when using cards that are not required to comply with the EMV standard (chip), in which case a second authentication factor must be established. For transactions made online, strong authentication mechanisms must be applied. Finally, the regulation provides for the use of the Mobile Banking channel through mobile device applications.

Lastly, this set of draft regulations requires contracts between credit establishments and trading outlets and payment gateway administrators, in which the merchants and administrators accept their responsibility to:

  • Have PCI.DSS certification, version 3.0 or later
  • Have a personal data processing policy
  • Adopt mechanisms to authenticate the financial consumer
  • Have an anti-money laundering and financing of terrorism risk management policy in place
  • Run information campaigns on operational security measures
  • Inform the financial consumer about the payment procedure before continuing