Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
Article 1, Paragraph 1: Is the call centre under the scope of SCA?
Article 1, Paragraph 2c: How do you define “forged authentication code”?
Article 1, Paragraph 3e(ii) & (iv): Are these applicable to card transactions?
Article 7, Paragraph 1: What does “certified auditors” mean?
Article 2, Paragraph 3: Does the “maximum amount” include fees/exchange rates?
Article 2, Paragraph 4: If batch contains multiple currencies how should the total amount be calculated?
Article 9, Paragraph 1c: How are “tamper-resistant devices and environments” defined?
Article 13, Paragraph b: Assuming that the app will be downloaded by Google Play and Apple Store is any additional digital signature required?
Article 17, Paragraph 1: How is “secure bilateral identification” defined?
Article 20, Paragraph 1: Does any organisation providing qualified certificate for website authentication exist? What if there is no such qualified provider by October 2018?
The roles that a payment service provider may have and the technical requirements for them shall be further analysed in a separate RTS.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
YesArticle 1, Paragraph 1: Is the call centre under the scope of SCA?
Article 1, Paragraph 2c: How do you define “forged authentication code”?
Article 1, Paragraph 3e(ii) & (iv): Are these applicable to card transactions?
Article 7, Paragraph 1: What does “certified auditors” mean?
Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
YesArticle 2, Paragraph 3: Does the “maximum amount” include fees/exchange rates?
Article 2, Paragraph 4: If batch contains multiple currencies how should the total amount be calculated?
Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
NoQuestion 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
Amounts should be substantially raised based on the risk appetite of each organisation. Cumulative should be set daily.Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
Amounts should be substantially raised based on the risk appetite of each organisation. Cumulative should be set daily.Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?
Assuming that the UserID does not fall under personalized security credentials, we agree.Article 9, Paragraph 1c: How are “tamper-resistant devices and environments” defined?
Article 13, Paragraph b: Assuming that the app will be downloaded by Google Play and Apple Store is any additional digital signature required?
Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?
YesArticle 17, Paragraph 1: How is “secure bilateral identification” defined?
Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?
YesQuestion 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?
YesArticle 20, Paragraph 1: Does any organisation providing qualified certificate for website authentication exist? What if there is no such qualified provider by October 2018?
Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.
YesThe roles that a payment service provider may have and the technical requirements for them shall be further analysed in a separate RTS.