EBA Guidelines on Outsourcing and PCI CPP – An SPA Analysis – October 2021

In February 2019, the European Banking Authority (EBA) published the revised EBA Guidelines on outsourcing arrangements. The goal of the document is to provide financial institutions recommendations and guidance to properly manage the risk of outsourcing services and activities to third parties.

The document clearly targets IT outsourcing activities in the context of a growing digitalisation of financial services and an increased use of cloud-based infrastructures and services.

Nevertheless, while the EBA Guidelines clearly exclude industrial activities such as the production of payment cards, the broad definition of an outsourced arrangement , has led some financial institutions to consider payment card personalization as an outsourced service falling in the scope of the EBA Guidelines.

Indeed a few banks in Europe use their own facilities, equipment and personnel to personalise the payment cards that they issue.

The Smart Payment Association (SPA) was surprised of this interpretation of the EBA Guidelines because card personalization is more of an industrial activity. Many banks actually procure readily personalised cards which makes the separation of the personalization service from card production difficult. And, most importantly, the activity of card personalization is already subject to very stringent security requirements defined in the Payment Card Industry Card Production and Provisioning (PCI CPP) standard.

The purpose of this SPA paper is to explain what the PCI CPP standard is and how the evaluation and audits performed to obtain the PCI CPP certification may directly be used by financial institutions to comply with the EBA Guidelines. SPA is confident that this proposed approach will help all parties in scope of the EBA Guidelines to avoid unnecessary cost, time and efforts by reusing recognized and neutral 3rd party audit results while still complying with the Guidelines.