Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
Vodafone welcomes the opportunity to respond to EBA’s draft regulatory technical standards (RTS) on customer authentication and secure communication. The RTS will play an important role in shaping competitive and innovative payment security solutions under PSD2. As such, it is critical that they fulfil the objectives laid down under PSD2 ensuring an appropriate level of security by means of a technology neutral way fostering the development of user-friendly, accessible and innovative means of payment.
We welcome EBA’s commitment to these principal goals. As highlighted in Vodafone’s response to the EBA’s discussion paper we are committed to ensuring authentication practices that meaningfully advance the security of payment transactions, enhance customer protection, and promote innovation in Europe through our payment service offerings, such as M-Pesa in Romania. M-Pesa is a payment service designed to facilitate low value transactions for individuals at the bottom of the economic pyramid and facilitate financial inclusion. As such, M-Pesa is primarily used on ‘feature’ phones using the very secure Unstructured Supplementary Service Data (USSD) channel for payment transactions.
Low-risk services like M-Pesa require a risk-based and tailored authentication framework. Employing a mandatory requirement of one-time codes, and dynamic linking will negatively affect these services and ultimately restrict investment and competition from alternative payment providers at this end of the market. We thus call upon EBA to ensure that services, such as M-Pesa, are exempted from these requirements. Further, we are concerned by EBA’s proposals which would impose a significantly narrowed low-value threshold exemption and the differentiation between contactless electronic payment transactions at a point of sale and remote electronic payment transaction. Introducing different transaction limits will amount to less transparency for consumers and the proposed individual and cumulative exemption limits will inevitably curtail innovation across Europe. Vodafone thus urges the EBA to take a wider approach that considers exemptions for low risk technology solutions such as M-Pesa and revise the envisaged transaction limits aligning requirements for contactless and remote electronic payment transactions in alignment with the provisions set out under PSD2.
Response to Question 1:
Vodafone’s M-Pesa service is ensuring strong customer authentication based on the use of two elements categorised as knowledge (something only the user knows - PIN) and possession (something only the user possesses –mobile phone with a registered SIM card). In the spirit of technological neutrality and innovation, we do not believe that a one-time code is required to ensure strong customer authentication. Moreover, we see the risk that the proposed guidelines unnecessarily restrict innovative, secure payment services such as M-Pesa and urge EBA to review and revise the proposed guidelines in this respect.
In the context of M-Pesa or similar services where an e-money transaction can only be initiated by using an enrolled device (mobile device –phone with a registered SIM card) with a customer inputting their pin, a service rather than a transaction based approach seem most appropriate. Dynamic linking and segregation requirements are certainly not supportive of ‘technology and business-model neutrality’, nor do they facilitate the development of ‘user friendly and accessible’ means of payments as PSD2 Art. 98 stipulates. The implementation of these rigid requirements will inevitably render low margin payment businesses like M-Pesa unviable thus limiting service competition and innovation. We therefore urge EBA to review the draft RTS to ensure a more proportionate account on dynamic linking requirements.
However, the conditions set out in chapter 4 Article 19 (4) appear to compromise security by requiring account servicing payment service providers’ technical specification to be “made available for free and publicly on their website”. While we agree that documentation is important and should be available on legitimate request, we cannot concur with the requirement that confidential documents should be made available on a public website. We call on EBA to revise this proposal in line with the general provisions set-out under PSD2.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
Opening statementVodafone welcomes the opportunity to respond to EBA’s draft regulatory technical standards (RTS) on customer authentication and secure communication. The RTS will play an important role in shaping competitive and innovative payment security solutions under PSD2. As such, it is critical that they fulfil the objectives laid down under PSD2 ensuring an appropriate level of security by means of a technology neutral way fostering the development of user-friendly, accessible and innovative means of payment.
We welcome EBA’s commitment to these principal goals. As highlighted in Vodafone’s response to the EBA’s discussion paper we are committed to ensuring authentication practices that meaningfully advance the security of payment transactions, enhance customer protection, and promote innovation in Europe through our payment service offerings, such as M-Pesa in Romania. M-Pesa is a payment service designed to facilitate low value transactions for individuals at the bottom of the economic pyramid and facilitate financial inclusion. As such, M-Pesa is primarily used on ‘feature’ phones using the very secure Unstructured Supplementary Service Data (USSD) channel for payment transactions.
Low-risk services like M-Pesa require a risk-based and tailored authentication framework. Employing a mandatory requirement of one-time codes, and dynamic linking will negatively affect these services and ultimately restrict investment and competition from alternative payment providers at this end of the market. We thus call upon EBA to ensure that services, such as M-Pesa, are exempted from these requirements. Further, we are concerned by EBA’s proposals which would impose a significantly narrowed low-value threshold exemption and the differentiation between contactless electronic payment transactions at a point of sale and remote electronic payment transaction. Introducing different transaction limits will amount to less transparency for consumers and the proposed individual and cumulative exemption limits will inevitably curtail innovation across Europe. Vodafone thus urges the EBA to take a wider approach that considers exemptions for low risk technology solutions such as M-Pesa and revise the envisaged transaction limits aligning requirements for contactless and remote electronic payment transactions in alignment with the provisions set out under PSD2.
Response to Question 1:
Vodafone’s M-Pesa service is ensuring strong customer authentication based on the use of two elements categorised as knowledge (something only the user knows - PIN) and possession (something only the user possesses –mobile phone with a registered SIM card). In the spirit of technological neutrality and innovation, we do not believe that a one-time code is required to ensure strong customer authentication. Moreover, we see the risk that the proposed guidelines unnecessarily restrict innovative, secure payment services such as M-Pesa and urge EBA to review and revise the proposed guidelines in this respect.
Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
Considering the wide range of options to ensure secure transactions, Vodafone suggests a more open-ended approach with respect to “dynamic linking”. As outlined above, Vodafone does not see additional security benefits in an independent or segregated channel, mobile application or device used for initiating the payment, in particular in the context of payment solutions transacted through a mobile device. Today, Vodafone is ensuring a two-step authentication process and a very secure transaction channel (USSD) to protect customers against fraud and other security attacks. In a 3G mobile network environment the channel is encrypted and is considered to be extremely resilient against any form of attack. In a 2G environment, we understand that an attack would be extremely costly and require expert knowledge as the attacker would need to emulate a cell tower for every single transaction. Considering the low value transaction nature of Vodafone’s M-Pesa service, our security experts would consider the risk of an attack in a 2G context as very low.In the context of M-Pesa or similar services where an e-money transaction can only be initiated by using an enrolled device (mobile device –phone with a registered SIM card) with a customer inputting their pin, a service rather than a transaction based approach seem most appropriate. Dynamic linking and segregation requirements are certainly not supportive of ‘technology and business-model neutrality’, nor do they facilitate the development of ‘user friendly and accessible’ means of payments as PSD2 Art. 98 stipulates. The implementation of these rigid requirements will inevitably render low margin payment businesses like M-Pesa unviable thus limiting service competition and innovation. We therefore urge EBA to review the draft RTS to ensure a more proportionate account on dynamic linking requirements.
Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
We agree with the assessment of EBA in relation to threats identified in articles 3, 4 and 5 of the draft RTS.Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
Vodafone welcomes the consideration of exemptions from the application of Article 97. However, the proposed scope of exemptions fall short of the ‘risk’ based approach PSD2 mandates in Art 78(3). Vodafone urges EBA to take a wider approach that considers exemptions for low risk technology solutions such as M-PESA. Further, we call upon EBA to align conditions between contactless electronic payment transactions and remote electronic payment transactions, which appear to be inconsistent with the technology and business neutrality guidance set out under PSD2.Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
See q.4.Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?
We agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalized security credentials.Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?
We agree with the EBA’s general reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information.However, the conditions set out in chapter 4 Article 19 (4) appear to compromise security by requiring account servicing payment service providers’ technical specification to be “made available for free and publicly on their website”. While we agree that documentation is important and should be available on legitimate request, we cannot concur with the requirement that confidential documents should be made available on a public website. We call on EBA to revise this proposal in line with the general provisions set-out under PSD2.