Response to discussion on RTS on strong customer authentication and secure communication under PSD2

Go back

1. With respect to Article 97(1) (c), are there any additional examples of transactions or actions implying a risk of payment fraud or other abuses that would need to be considered for the RTS? If so, please give details and explain the risks involved.

N/A to Klarna AB

2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?

Firstly, Klarna would state that the availability of user-friendly and secure payment methods on the internet is essential for the success of e-commerce in Europe.

In the context of strong customer authentication Klarna’s position is that also data, not only physical devices, can fulfill the possession SCA requirement. Most data that is known to be in the possession of an individual PSU – either standalone or in combination – can fulfill the possession requirement in a secure manner.

As with e.g. device recognition, data can generally be used as an element of authorization, often as one element among others. Different data carries different strengths in an authorization model. Data, or combinations of data, may serve as strong elements of authorization, just as other possession elements, depending on type and quality of data, analytical methods used, and combination with other data or authorization elements. Therefore, not merely data that can solely be controlled by the PSU, but also data, or combinations of data, that cannot solely be controlled by the PSU may form part of a strong authentication method.

Below we have listed some examples that in our experience provides data authentication in control or “possession” by the PSU:

● Personal identification number
○ Many European countries, offer a personal identification number (for example in Sweden it is called “personnummer”) that differentiate between online and offline service uses for identification purposes and also serve as a resource for registration of different data registers. In the Swedish market, Klarna uses the “personnummer” as one parameter to make the credit assessment on consumers.
● Registered address of PSU
○ Officially registered database
○ Address of PSU previously registered by the provider
● One-time passwords sent to the user’s device (OTPs), e.g.:
○ SMS codes
○ Email codes
● Email confirmation links
● Verification through another online linked account, e.g. Facebook, Google, LinkedIn or similar.
○ Authentication through an external user account which only the PSU can access should fulfill the possession requirement. Technological evolution of such solutions that link online accounts should be provided for in the future development and interpretation of the possession requirement.
● Stored payment mandates in combination with payment credentials connected to the payment instrument provided by the PSU in a secure manner to initiate the transaction.


More generally, we would highlight that operating with a physical device (e.g. token or smart card) is not practical for the current generation of online consumers nor for the future generation as it requires that the device has an established market penetration. To promote competition and in order to contribute to the development of a secure innovative mobile and internet payments market in Europe, the operating conditions to existing and new market players must be equal and the payment service user must have access to the authentication measures and have a broad market penetration.

3. Do you consider that in the context of “inherence” elements, behaviour-based characteristics are appropriate to be used in the context of strong customer authentication? If so, can you specify under which conditions?

Behaviour analysis is most certainly a current and future possibility to leverage if you have the tools, expertise, algorithms or engines to execute it from. However we do not deem it helpful or practical to define explicit conditions for behaviour analysis as the nature here is dynamic and innovation in this space should not be constrained by regulation. The EBA regulatory technical standards should strive to ensure that they do not block the use of secure and current or future authentication methods based on behaviour (or other methods) which are quickly developing in the online market place and may be as reliable as other traditional/known methods, or potentially even more reliable.

With regard to the digital developments and Digital Agenda for Europe it is important to recognise that inherence" needs to include the possibility to process a wide variety of data beyond pure biometric data in order to enable digital services across a wide community of users and products.

Furthermore, we would underline that providers such as Klarna who are in control of and responsible for the ecommerce purchasing flow, and furthermore take on risk on behalf of both the consumer and the merchant, are in a strong position to exercise and oversee behavior analysis as part of the inherence requirement under strong customer authentication

Examples of behavior analysis could include, but is not limited to;
● Shopping and spending pattern of the PSU
● The pace of adding to basket and typing details
● Keystroke dynamics such as the use of copy/paste, scroll flow and click pattern

Behavior analysis is a concrete way to identify and detect fraud and can be vital in authenticating and identifying PSUs Therefore, Klarna believes that behavior based analytics qualifies as a measure to fulfill the SCA inherence requirement. The wording and definition of behaviour analysis in any future regulatory technical standards should include language in order to ensure that the standards will accommodate dynamic developments and innovation in technology standards.

Klarna recognizes the increasing interest in and technology around the inherence requirement as defined in the “EBA Final guidelines on the security of internet payments“, dated 19 December 2014, section 12 “definitions”, page 11; “something the user is”, e.g. biometric characteristic, such as a fingerprint (...) but Klarna would highlight that products that can achieve fingerprints and other physical biometric characteristics online are highly specialized and not necessarily widely available in the online community. Therefore, Klarna believes in this regard that it is challenging to achieve the inherence requirements as it is defined today in the EBA Final Guidelines on the security of internet payments for real-time authentication. However, if you are a provider or manufacturer of such specialized products intended, or partly intended, to identify based on biometric characteristics, then it does make sense as long as there exists a fair level playing field for all market players globally. Therefore, there is a competitive and innovation aspect for the EBA to be mindful of when determining the requirements and regulatory technical standards for the inherence element, in order not to limit the definition to specific methods or currently used technology

There is also a data protection perspective to pay attention to. When processing sensitive data it requires higher demands of security measures. The new Data Protection Regulation puts forward high security requirements on the use of biometric data, which will not be true for other kind of data such as certain behaviour based characteristics. To minimise the requirement to use sensitive biometric data by including behavioural data in an appropriate manner as part of the inherence requirement, will both be in the interest of the customer, the provider and be in line with the European Data Protection Regime."

4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?

With regards to the independence of the authentication requirements we do find it problematic that data delivered to a device has the requirement for independence in the SCA elements as they thereby mutually exclude each other. In the example given the mobile device (the possession element) makes the code (the knowledge element) sent to the mobile device insufficient.

There are however ways of ensuring that a one time password (OTP) generated on a mobile device can have a high level of security, for example in the case where the PSU has pre-registered their phone number, or it is a known PSU. Furthermore, consumers are familiar with this procedure as part of SCA when transacting online.

Indeed, we are seeing a continuing market trend towards “mobile” and therefore feel confidant that even more secure mobile authentication solutions will be developed. The PSD2 regulatory technical standards should allow such a margin for future innovation in developing standards in relation to the independence of the SCA requirements.

5. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to dynamic linking?

One of challenges that Klarna has identified for fulfilling the objectives of dynamic linking is in the case of recurring transactions. For an example a subscription based business model. Some product categories, e.g. gaming, food and transportation, operate with recurring direct debits or recurring card transactions which the PSU actively consents to at the time of sign-up to the subscription service with the merchant, however the amount of the recurring purchase can vary from month to month, week to week, depending on the product. An example of this is e.g. a transportation merchant that offers a “pay-as-you-go” service to their consumers and the amount of total tickets purchased is withdrawn monthly.

In view of the difficulties noted in the example above, Klarna would therefore welcome that the regulatory technical standards incorporate exemptions in regards to dynamic linking where appropriate. For recurrent direct debits or card transactions it is relevant to have exemptions to strong customer authentication/dynamic linking for payment initiations without knowing the transaction amount up front. The exemption also needs to allow for future innovation in both new channels as well as consumer goods. (Please see question 8 where this is also addressed).

6. In your view, which solutions for mobile devices fulfil both the objective of independence and dynamic linking already today?

In the ecommerce eco-system it must be transparent to the consumer the whole amount that they are paying for their goods at the time of purchase. A one time password (OTP) generated by a mobile device can connect the transaction to the purchase by for example displaying the recipient and the amount.

7. Do you consider the clarifications suggested regarding the potential exemptions to strong customer authentication, to be useful?

In general, Klarna is of the position that the clarifications of the exemptions are useful, and necessary to ensure proportional application of the requirements. It would however not be beneficial, and inhibiting to innovation, if the exemptions are defined in a detailed way that in effect narrows the scope of the exemptions. Furthermore, exemptions should be equally applicable to all the relevant parties who seek to utilize them.

Klarna has focused its responses to low value payments and low risk transactions due to the relevancy of these in our technical solutions provided in the ecommerce space.

Examples of the utilization of these exemptions can be helpful, however it should be clear from the regulatory technical standards that the list of exempt scenarios is not exhaustive.

o Low value payments
A low value payment differs from each market, country, region or even city based on financial situation of PSUs. With the general global economy conjunctures with inflation, annual changes and currency appreciation it does not make sense to have a standardized and static definition of a low value transaction.

o Low-risk transactions based on transaction risk analysis
We deem it as very important that also transaction risk analysis is understood to be a key determinant in terms of requirements around strong customer authentication. However, the regulatory technical standards should not define any detailed criteria as risk engines, algorithms, rules and assessment differs widely from market to market. Fraudulent transactors can even misuse a disclosed approach to the definition and objective criterions of risk analysis. Instead, there should be a general definition of what level is to be achieved based on the transaction risk analysis which shows that the transaction is in line with the transaction pattern of the customer or which achieves similar results as two factor authentication. Furthermore as Klarna controls and is responsible for the ecommerce purchasing flow and absorbs the risk on behalf of both the consumer and merchant, Klarna therefore holds the in-house tools, expertise, algorithms and technology to exercise the exemption on the basis of risk analysis in a secure manner.

Additionally, we would suggest that in some cases one factor authentication" could potentially be sufficient if supported by something else e.g. transaction risk analysis, e.g. if the provider takes the risk on behalf of the PSU for the transaction, or data that shows that e.g. the fraud risk is low."

8. Are there any other factors the EBA should consider when deciding on the exemptions applicable to the forthcoming regulatory technical standards?

Klarna is of the position that exemptions in regards to dynamic linking are appropriate as outlined in question 5 as well as the exemptions to strong user authentication in regards to risk analysis as outlined in question 7. However, exemptions should be applicable to all market players equally and where appropriate.

9. Are there any other criteria or circumstances which the EBA should consider with respect to transaction risks analysis as a complement or alternative to the criteria identified in paragraph 45?

The criteria identified in paragraph 45 in order to describe the criteria for transaction risk analysis seem reasonable to us. It is, however, important that the criteria are not exhaustive, but are left open in order to allow for technological developments and progress over time. Furthermore, it is dangerous to limit the criteria to certain listed information as this could also be misused by those acting with negative intent.

The forthcoming regulatory technical standards must also allow for new solutions which fall outside of the definition of strong authentication, but achieves equal or better results (without putting more risk or liability on the PSU). This mechanism could be a standalone exemption criteria. This is in line with section 18 of the discussion paper - and fundamental to ensure that the rules promote instead of hamper innovation. A potentially helpful way to address this issue would be for the EBA to consider providing clarification in its future regulatory technical standards as to which kind of capabilities and minimum set of information are required for such tools reliably to evaluate the risk of a transaction. The definition of the minimum set of information required should be left open to technological developments and progress over time.

To clarify therefore that (a)-(c) is non-exhaustive in paragraph 45, an item “(d)” could be added to state “or other data, information or method relevant for the risk analysis” (or similar wording).

10. Do you consider the clarification suggested regarding the protection of users personalised security credentials to be useful?

N/A to Klarna AB

11. What other risks with regard to the protection of users’ personalised security credentials do you identify?

N/A to Klarna AB

12. Have you identified innovative solutions for the enrolment process that the EBA should consider which guarantee the confidentiality, integrity and secure transmission (e.g. physical or electronic delivery) of the users’ personalised security credentials?

N/A to Klarna AB

13. Can you identify alternatives to certification or evaluation by third parties of technical components or devices hosting payment solutions, to ensure that communication channels and technical components hosting, providing access to or transmitting the personalised security credential are sufficiently resistant to tampering and unauthorized access?

N/A to Klarna AB

14. Can you indicate the segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur at present and in the foreseeable future?

N/A to Klarna AB

15. For each of the topics identified under paragraph 63 above (a to f), do you consider the clarifications provided to be comprehensive and suitable? If not, why not?

N/A to Klarna AB

16. For each agreed clarification suggested above on which you agree, what should they contain in your view in order to achieve an appropriate balance between harmonisation, innovation while preventing too divergent practical implementations by ASPSPs of the future requirements?

N/A to Klarna AB

17. In your opinion, is there any standards (existing or in development) outlining aspects that could be common and open, which would be especially suitable for the purpose of ensuring secure communications as well as for the appropriate identification of PSPs taking into consideration the privacy dimension?

As a principle, the regulatory technical standards should be technically neutral and agnostic. They should promote an open and secure global technical framework equal for all relevant parties. HTTPS, SSL and TLS standards are examples of omnipresent solutions that delivers a proven technical standard for the purpose of “identification, authentication, notification and information, as well as for the implementation of security measures”, according to Art. 98 (1d) PSD2.

In this regard, we would refer the EBA to Sofort GMBH position which notes the value in particular of HTTPS. Indeed, Sofort has been using this open standard for over 10 years to securely and successfully carry out PIS for consumers across Europe. Klarna would endorse HPPTS for use under the Common and Open Standards of Communication as it supports the goals of PSD II. Furthermore, we would support Sofort in its request that the requirements the EBA will develop will exclude standards that that are neither common nor open and restrict the functionality of PIS and AIS .

Indeed, Klarna fully supports the integration of payment integration services (PIS) such as Sofort and account integration services (AIS) within the Payment Services Directive II - Directive 2015/2366. It is vital that market players hold the credibility and robustness that regulation offers in order to ensure consumers see players such as SOFORT as trustworthy and reliable. It is equally vital that PIS compete on the same terms as other players in the market in order to drive efficiency, competition and innovation. More specifically, it is important PIS can rely on the authentication procedures as used by banks and equally apply any exemptions to the strong customer authentication requirement also to PIS and AIS. Klarna believes that the revised Payment Services Directive, incorporating new players such as SOFORT, once in place will support the advancement of a competitive, dynamic, open and secure payments market in Europe securing the role of European start-ups, innovators, incumbents and incoming players in Europe’s payments space and providing a direct and strong competition for incoming players from other markets such as the USA and China.

18. How would these requirement for common and open standards need to be designed and maintained to ensure that these are able to securely integrate other innovative business models than the one explicitly mentioned under article 66 and 67 (e.g. issuing of own credentials by the AIS/PIS)?

N/A to Klarna AB

19. Do you agree that the e-IDAS regulation could be considered as a possible solution for facilitating the strong customer authentication, protecting the confidentiality and the integrity of the payment service users’ personalised security credentials as well as for common and secure open standards of communication for the purpose of identification, DP on future RTS on strong customer and secure communication under PSD2 31 authentication, notification, and information? If yes, please explain how. If no, please explain why.

N/A to Klarna AB

20. Do you think in particular that the use of “qualified trust services” under e-IDAS regulation could address the risks related to the confidentiality, integrity and availability of PSCs between AIS, PIS providers and ASPSPs? If yes, please identify which services and explain how. If no, please explain why.

N/A to Klarna AB

Name of organisation

Klarna AB

Please select which category best describes you and/or your organisation.

[Other"]"

If you selected ‘Other’, please provide details

Klarna AB (corporate registration no. 556737-0431) is a Swedish company, whose headquarters are located in Stockholm. Klarna AB is a credit-market company under the supervision of Finansinspektionen (the Swedish Financial Supervisory Authority) and was founded in Stockholm in 2005 with the idea of simplifying buying. Klarna provides a number of products and services to online consumers across Europe and the United States which allow the consumer to receive the goods first and pay afterwards, while Klarna assume the credit and fraud risks for the merchants. Klarna is one of Europe’s fastest growing companies in the European payments space and in 2015, Klarna also entered the US market. Klarna believes that an increasingly open and competitive payments market in Europe has driven Klarna’s growth and success and enabled Klarna to compete directly with many of the dominant market players. Klarna is one of few European headquartered firms expanding and competing directly in the US, somewhat in contrast to the many US players operating and expanding here in Europe. The decision to expand in the US was driven by the success and growth Klarna experienced in Europe, across a number of Member States alongside the opportunity to offer Klarna services to American consumers. In 2014 Klarna acquired SOFORT GmbH, a German online payment company offering Payment Initiation Services (PIS) and formed Klarna Group. Klarna believes that SOFORT GmbH, based in Germany and active for more than ten years, makes a real contribution to the e-commerce market in Europe, to the benefit of European consumers and merchants alike. Having completed over 150 million transactions, SOFORT GmbH facilitates an ever growing community of online-shoppers and shops via their Payment Initiation Services (PIS) and PIS have become an important part of e-commerce, driving down transaction cost and fees. Klarna Group is now one of Europe’s leading online payment companies. With more than 1400 employees, and currently operating in 17 EU Member States and the US, Klarna Group serve close to 50 million consumers and 65000 merchants across Europe, resulting in about half a million transactions every day. Klarna AB takes the opportunity to comment on the PSD II EBA discussion paper on Strong Customer Authentication and Open Standards of Communication given its role as an external technical service provider in the ecommerce and payments space. As a credit-market and technology company operating in the EU ecommerce and payments markets, Klarna believes that an open, competitive and secure payments market in Europe is key for the future development of European players in this area, and ultimately to the benefit of consumers as well as the European economy as a whole. In this regard, Klarna has followed the negotiations at EU Level on the Revision of the Payments Services Directive with great interest. Klarna Group (Klarna and Sofort together) fully supports and promotes open and common access to a secure and technologically neutral European Payments Market.

Please select which category best describes you and/or your organisation.

[Other "]"

If you selected ‘Other’, please provide details

See above