Jurisdictions / EU Payments
EU Payments Cryptography (PSD2, DORA, PCI DSS)
The EU Payments overlay layers payment-specific cryptography rules on top of the authority baselines: 6 jurisdiction rules scoped to EU payment infrastructure and cardholder data, tagged against PSD2, DORA and PCI DSS 4.0. Activate it together with the BSI and ANSSI channels for the full EU payments posture.
What the overlay adds
- PSD2: strong-cryptography expectations around authentication and communication in payment services
- DORA: ICT-risk management evidence for financial entities, where a current cryptographic inventory is the concrete artifact supervisors can check
- PCI DSS 4.0: strong cryptography for cardholder data at rest and in transit, and the requirement 12.3.3 cipher-suite inventory
- Overlay model: jurisdiction rules layer on top of active authority channels instead of replacing them
Recommended activation
EU payments and FinTech organizations activate BSI + ANSSI as the authority base (both NIS2-tagged) plus this overlay. Findings then carry the payment-framework tags a supervisor or QSA expects, and the PCI-DSS deep dive covers the cardholder-data specifics, including the automated 12.3.3 inventory.
Frequently asked questions
Does this overlay replace a PCI DSS assessment?
No. It grades your cryptography against the payment frameworks and produces the evidence (inventory, findings, file:line). The assessment process itself stays with your QSA; DORA supervision stays with your authority.
How do DORA and this overlay fit together?
DORA demands managed ICT risk with demonstrable control over cryptographic assets. The recurring CBOM plus per-finding framework tags is the concrete, checkable artifact that satisfies the cryptography slice of that expectation.
What exactly is a jurisdiction overlay?
A rule layer that sits on top of the authority channels you activate. Authorities define the algorithm baseline; overlays add region- and sector-specific requirements without duplicating the base rules.