Response to discussion on RTS on strong customer authentication and secure communication under PSD2
Go back
In the context of strong customer authentication Klarna’s position is that also data, not only physical devices, can fulfill the possession SCA requirement. Most data that is known to be in the possession of an individual PSU – either standalone or in combination – can fulfill the possession requirement in a secure manner.
As with e.g. device recognition, data can generally be used as an element of authorization, often as one element among others. Different data carries different strengths in an authorization model. Data, or combinations of data, may serve as strong elements of authorization, just as other possession elements, depending on type and quality of data, analytical methods used, and combination with other data or authorization elements. Therefore, not merely data that can solely be controlled by the PSU, but also data, or combinations of data, that cannot solely be controlled by the PSU may form part of a strong authentication method.
Below we have listed some examples that in our experience provides data authentication in control or “possession” by the PSU:
● Personal identification number
○ Many European countries, offer a personal identification number (for example in Sweden it is called “personnummer”) that differentiate between online and offline service uses for identification purposes and also serve as a resource for registration of different data registers. In the Swedish market, Klarna uses the “personnummer” as one parameter to make the credit assessment on consumers.
● Registered address of PSU
○ Officially registered database
○ Address of PSU previously registered by the provider
● One-time passwords sent to the user’s device (OTPs), e.g.:
○ SMS codes
○ Email codes
● Email confirmation links
● Verification through another online linked account, e.g. Facebook, Google, LinkedIn or similar.
○ Authentication through an external user account which only the PSU can access should fulfill the possession requirement. Technological evolution of such solutions that link online accounts should be provided for in the future development and interpretation of the possession requirement.
● Stored payment mandates in combination with payment credentials connected to the payment instrument provided by the PSU in a secure manner to initiate the transaction.
More generally, we would highlight that operating with a physical device (e.g. token or smart card) is not practical for the current generation of online consumers nor for the future generation as it requires that the device has an established market penetration. To promote competition and in order to contribute to the development of a secure innovative mobile and internet payments market in Europe, the operating conditions to existing and new market players must be equal and the payment service user must have access to the authentication measures and have a broad market penetration.
With regard to the digital developments and Digital Agenda for Europe it is important to recognise that inherence" needs to include the possibility to process a wide variety of data beyond pure biometric data in order to enable digital services across a wide community of users and products.
Furthermore, we would underline that providers such as Klarna who are in control of and responsible for the ecommerce purchasing flow, and furthermore take on risk on behalf of both the consumer and the merchant, are in a strong position to exercise and oversee behavior analysis as part of the inherence requirement under strong customer authentication
Examples of behavior analysis could include, but is not limited to;
● Shopping and spending pattern of the PSU
● The pace of adding to basket and typing details
● Keystroke dynamics such as the use of copy/paste, scroll flow and click pattern
Behavior analysis is a concrete way to identify and detect fraud and can be vital in authenticating and identifying PSUs Therefore, Klarna believes that behavior based analytics qualifies as a measure to fulfill the SCA inherence requirement. The wording and definition of behaviour analysis in any future regulatory technical standards should include language in order to ensure that the standards will accommodate dynamic developments and innovation in technology standards.
Klarna recognizes the increasing interest in and technology around the inherence requirement as defined in the “EBA Final guidelines on the security of internet payments“, dated 19 December 2014, section 12 “definitions”, page 11; “something the user is”, e.g. biometric characteristic, such as a fingerprint (...) but Klarna would highlight that products that can achieve fingerprints and other physical biometric characteristics online are highly specialized and not necessarily widely available in the online community. Therefore, Klarna believes in this regard that it is challenging to achieve the inherence requirements as it is defined today in the EBA Final Guidelines on the security of internet payments for real-time authentication. However, if you are a provider or manufacturer of such specialized products intended, or partly intended, to identify based on biometric characteristics, then it does make sense as long as there exists a fair level playing field for all market players globally. Therefore, there is a competitive and innovation aspect for the EBA to be mindful of when determining the requirements and regulatory technical standards for the inherence element, in order not to limit the definition to specific methods or currently used technology
There is also a data protection perspective to pay attention to. When processing sensitive data it requires higher demands of security measures. The new Data Protection Regulation puts forward high security requirements on the use of biometric data, which will not be true for other kind of data such as certain behaviour based characteristics. To minimise the requirement to use sensitive biometric data by including behavioural data in an appropriate manner as part of the inherence requirement, will both be in the interest of the customer, the provider and be in line with the European Data Protection Regime."
There are however ways of ensuring that a one time password (OTP) generated on a mobile device can have a high level of security, for example in the case where the PSU has pre-registered their phone number, or it is a known PSU. Furthermore, consumers are familiar with this procedure as part of SCA when transacting online.
Indeed, we are seeing a continuing market trend towards “mobile” and therefore feel confidant that even more secure mobile authentication solutions will be developed. The PSD2 regulatory technical standards should allow such a margin for future innovation in developing standards in relation to the independence of the SCA requirements.
In view of the difficulties noted in the example above, Klarna would therefore welcome that the regulatory technical standards incorporate exemptions in regards to dynamic linking where appropriate. For recurrent direct debits or card transactions it is relevant to have exemptions to strong customer authentication/dynamic linking for payment initiations without knowing the transaction amount up front. The exemption also needs to allow for future innovation in both new channels as well as consumer goods. (Please see question 8 where this is also addressed).
Klarna has focused its responses to low value payments and low risk transactions due to the relevancy of these in our technical solutions provided in the ecommerce space.
Examples of the utilization of these exemptions can be helpful, however it should be clear from the regulatory technical standards that the list of exempt scenarios is not exhaustive.
o Low value payments
A low value payment differs from each market, country, region or even city based on financial situation of PSUs. With the general global economy conjunctures with inflation, annual changes and currency appreciation it does not make sense to have a standardized and static definition of a low value transaction.
o Low-risk transactions based on transaction risk analysis
We deem it as very important that also transaction risk analysis is understood to be a key determinant in terms of requirements around strong customer authentication. However, the regulatory technical standards should not define any detailed criteria as risk engines, algorithms, rules and assessment differs widely from market to market. Fraudulent transactors can even misuse a disclosed approach to the definition and objective criterions of risk analysis. Instead, there should be a general definition of what level is to be achieved based on the transaction risk analysis which shows that the transaction is in line with the transaction pattern of the customer or which achieves similar results as two factor authentication. Furthermore as Klarna controls and is responsible for the ecommerce purchasing flow and absorbs the risk on behalf of both the consumer and merchant, Klarna therefore holds the in-house tools, expertise, algorithms and technology to exercise the exemption on the basis of risk analysis in a secure manner.
Additionally, we would suggest that in some cases one factor authentication" could potentially be sufficient if supported by something else e.g. transaction risk analysis, e.g. if the provider takes the risk on behalf of the PSU for the transaction, or data that shows that e.g. the fraud risk is low."
The forthcoming regulatory technical standards must also allow for new solutions which fall outside of the definition of strong authentication, but achieves equal or better results (without putting more risk or liability on the PSU). This mechanism could be a standalone exemption criteria. This is in line with section 18 of the discussion paper - and fundamental to ensure that the rules promote instead of hamper innovation. A potentially helpful way to address this issue would be for the EBA to consider providing clarification in its future regulatory technical standards as to which kind of capabilities and minimum set of information are required for such tools reliably to evaluate the risk of a transaction. The definition of the minimum set of information required should be left open to technological developments and progress over time.
To clarify therefore that (a)-(c) is non-exhaustive in paragraph 45, an item “(d)” could be added to state “or other data, information or method relevant for the risk analysis” (or similar wording).
In this regard, we would refer the EBA to Sofort GMBH position which notes the value in particular of HTTPS. Indeed, Sofort has been using this open standard for over 10 years to securely and successfully carry out PIS for consumers across Europe. Klarna would endorse HPPTS for use under the Common and Open Standards of Communication as it supports the goals of PSD II. Furthermore, we would support Sofort in its request that the requirements the EBA will develop will exclude standards that that are neither common nor open and restrict the functionality of PIS and AIS .
Indeed, Klarna fully supports the integration of payment integration services (PIS) such as Sofort and account integration services (AIS) within the Payment Services Directive II - Directive 2015/2366. It is vital that market players hold the credibility and robustness that regulation offers in order to ensure consumers see players such as SOFORT as trustworthy and reliable. It is equally vital that PIS compete on the same terms as other players in the market in order to drive efficiency, competition and innovation. More specifically, it is important PIS can rely on the authentication procedures as used by banks and equally apply any exemptions to the strong customer authentication requirement also to PIS and AIS. Klarna believes that the revised Payment Services Directive, incorporating new players such as SOFORT, once in place will support the advancement of a competitive, dynamic, open and secure payments market in Europe securing the role of European start-ups, innovators, incumbents and incoming players in Europe’s payments space and providing a direct and strong competition for incoming players from other markets such as the USA and China.
1. With respect to Article 97(1) (c), are there any additional examples of transactions or actions implying a risk of payment fraud or other abuses that would need to be considered for the RTS? If so, please give details and explain the risks involved.
N/A to Klarna AB2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?
Firstly, Klarna would state that the availability of user-friendly and secure payment methods on the internet is essential for the success of e-commerce in Europe.In the context of strong customer authentication Klarna’s position is that also data, not only physical devices, can fulfill the possession SCA requirement. Most data that is known to be in the possession of an individual PSU – either standalone or in combination – can fulfill the possession requirement in a secure manner.
As with e.g. device recognition, data can generally be used as an element of authorization, often as one element among others. Different data carries different strengths in an authorization model. Data, or combinations of data, may serve as strong elements of authorization, just as other possession elements, depending on type and quality of data, analytical methods used, and combination with other data or authorization elements. Therefore, not merely data that can solely be controlled by the PSU, but also data, or combinations of data, that cannot solely be controlled by the PSU may form part of a strong authentication method.
Below we have listed some examples that in our experience provides data authentication in control or “possession” by the PSU:
● Personal identification number
○ Many European countries, offer a personal identification number (for example in Sweden it is called “personnummer”) that differentiate between online and offline service uses for identification purposes and also serve as a resource for registration of different data registers. In the Swedish market, Klarna uses the “personnummer” as one parameter to make the credit assessment on consumers.
● Registered address of PSU
○ Officially registered database
○ Address of PSU previously registered by the provider
● One-time passwords sent to the user’s device (OTPs), e.g.:
○ SMS codes
○ Email codes
● Email confirmation links
● Verification through another online linked account, e.g. Facebook, Google, LinkedIn or similar.
○ Authentication through an external user account which only the PSU can access should fulfill the possession requirement. Technological evolution of such solutions that link online accounts should be provided for in the future development and interpretation of the possession requirement.
● Stored payment mandates in combination with payment credentials connected to the payment instrument provided by the PSU in a secure manner to initiate the transaction.
More generally, we would highlight that operating with a physical device (e.g. token or smart card) is not practical for the current generation of online consumers nor for the future generation as it requires that the device has an established market penetration. To promote competition and in order to contribute to the development of a secure innovative mobile and internet payments market in Europe, the operating conditions to existing and new market players must be equal and the payment service user must have access to the authentication measures and have a broad market penetration.
3. Do you consider that in the context of “inherence” elements, behaviour-based characteristics are appropriate to be used in the context of strong customer authentication? If so, can you specify under which conditions?
Behaviour analysis is most certainly a current and future possibility to leverage if you have the tools, expertise, algorithms or engines to execute it from. However we do not deem it helpful or practical to define explicit conditions for behaviour analysis as the nature here is dynamic and innovation in this space should not be constrained by regulation. The EBA regulatory technical standards should strive to ensure that they do not block the use of secure and current or future authentication methods based on behaviour (or other methods) which are quickly developing in the online market place and may be as reliable as other traditional/known methods, or potentially even more reliable.With regard to the digital developments and Digital Agenda for Europe it is important to recognise that inherence" needs to include the possibility to process a wide variety of data beyond pure biometric data in order to enable digital services across a wide community of users and products.
Furthermore, we would underline that providers such as Klarna who are in control of and responsible for the ecommerce purchasing flow, and furthermore take on risk on behalf of both the consumer and the merchant, are in a strong position to exercise and oversee behavior analysis as part of the inherence requirement under strong customer authentication
Examples of behavior analysis could include, but is not limited to;
● Shopping and spending pattern of the PSU
● The pace of adding to basket and typing details
● Keystroke dynamics such as the use of copy/paste, scroll flow and click pattern
Behavior analysis is a concrete way to identify and detect fraud and can be vital in authenticating and identifying PSUs Therefore, Klarna believes that behavior based analytics qualifies as a measure to fulfill the SCA inherence requirement. The wording and definition of behaviour analysis in any future regulatory technical standards should include language in order to ensure that the standards will accommodate dynamic developments and innovation in technology standards.
Klarna recognizes the increasing interest in and technology around the inherence requirement as defined in the “EBA Final guidelines on the security of internet payments“, dated 19 December 2014, section 12 “definitions”, page 11; “something the user is”, e.g. biometric characteristic, such as a fingerprint (...) but Klarna would highlight that products that can achieve fingerprints and other physical biometric characteristics online are highly specialized and not necessarily widely available in the online community. Therefore, Klarna believes in this regard that it is challenging to achieve the inherence requirements as it is defined today in the EBA Final Guidelines on the security of internet payments for real-time authentication. However, if you are a provider or manufacturer of such specialized products intended, or partly intended, to identify based on biometric characteristics, then it does make sense as long as there exists a fair level playing field for all market players globally. Therefore, there is a competitive and innovation aspect for the EBA to be mindful of when determining the requirements and regulatory technical standards for the inherence element, in order not to limit the definition to specific methods or currently used technology
There is also a data protection perspective to pay attention to. When processing sensitive data it requires higher demands of security measures. The new Data Protection Regulation puts forward high security requirements on the use of biometric data, which will not be true for other kind of data such as certain behaviour based characteristics. To minimise the requirement to use sensitive biometric data by including behavioural data in an appropriate manner as part of the inherence requirement, will both be in the interest of the customer, the provider and be in line with the European Data Protection Regime."
4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?
With regards to the independence of the authentication requirements we do find it problematic that data delivered to a device has the requirement for independence in the SCA elements as they thereby mutually exclude each other. In the example given the mobile device (the possession element) makes the code (the knowledge element) sent to the mobile device insufficient.There are however ways of ensuring that a one time password (OTP) generated on a mobile device can have a high level of security, for example in the case where the PSU has pre-registered their phone number, or it is a known PSU. Furthermore, consumers are familiar with this procedure as part of SCA when transacting online.
Indeed, we are seeing a continuing market trend towards “mobile” and therefore feel confidant that even more secure mobile authentication solutions will be developed. The PSD2 regulatory technical standards should allow such a margin for future innovation in developing standards in relation to the independence of the SCA requirements.
5. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to dynamic linking?
One of challenges that Klarna has identified for fulfilling the objectives of dynamic linking is in the case of recurring transactions. For an example a subscription based business model. Some product categories, e.g. gaming, food and transportation, operate with recurring direct debits or recurring card transactions which the PSU actively consents to at the time of sign-up to the subscription service with the merchant, however the amount of the recurring purchase can vary from month to month, week to week, depending on the product. An example of this is e.g. a transportation merchant that offers a “pay-as-you-go” service to their consumers and the amount of total tickets purchased is withdrawn monthly.In view of the difficulties noted in the example above, Klarna would therefore welcome that the regulatory technical standards incorporate exemptions in regards to dynamic linking where appropriate. For recurrent direct debits or card transactions it is relevant to have exemptions to strong customer authentication/dynamic linking for payment initiations without knowing the transaction amount up front. The exemption also needs to allow for future innovation in both new channels as well as consumer goods. (Please see question 8 where this is also addressed).
6. In your view, which solutions for mobile devices fulfil both the objective of independence and dynamic linking already today?
In the ecommerce eco-system it must be transparent to the consumer the whole amount that they are paying for their goods at the time of purchase. A one time password (OTP) generated by a mobile device can connect the transaction to the purchase by for example displaying the recipient and the amount.7. Do you consider the clarifications suggested regarding the potential exemptions to strong customer authentication, to be useful?
In general, Klarna is of the position that the clarifications of the exemptions are useful, and necessary to ensure proportional application of the requirements. It would however not be beneficial, and inhibiting to innovation, if the exemptions are defined in a detailed way that in effect narrows the scope of the exemptions. Furthermore, exemptions should be equally applicable to all the relevant parties who seek to utilize them.Klarna has focused its responses to low value payments and low risk transactions due to the relevancy of these in our technical solutions provided in the ecommerce space.
Examples of the utilization of these exemptions can be helpful, however it should be clear from the regulatory technical standards that the list of exempt scenarios is not exhaustive.
o Low value payments
A low value payment differs from each market, country, region or even city based on financial situation of PSUs. With the general global economy conjunctures with inflation, annual changes and currency appreciation it does not make sense to have a standardized and static definition of a low value transaction.
o Low-risk transactions based on transaction risk analysis
We deem it as very important that also transaction risk analysis is understood to be a key determinant in terms of requirements around strong customer authentication. However, the regulatory technical standards should not define any detailed criteria as risk engines, algorithms, rules and assessment differs widely from market to market. Fraudulent transactors can even misuse a disclosed approach to the definition and objective criterions of risk analysis. Instead, there should be a general definition of what level is to be achieved based on the transaction risk analysis which shows that the transaction is in line with the transaction pattern of the customer or which achieves similar results as two factor authentication. Furthermore as Klarna controls and is responsible for the ecommerce purchasing flow and absorbs the risk on behalf of both the consumer and merchant, Klarna therefore holds the in-house tools, expertise, algorithms and technology to exercise the exemption on the basis of risk analysis in a secure manner.
Additionally, we would suggest that in some cases one factor authentication" could potentially be sufficient if supported by something else e.g. transaction risk analysis, e.g. if the provider takes the risk on behalf of the PSU for the transaction, or data that shows that e.g. the fraud risk is low."
8. Are there any other factors the EBA should consider when deciding on the exemptions applicable to the forthcoming regulatory technical standards?
Klarna is of the position that exemptions in regards to dynamic linking are appropriate as outlined in question 5 as well as the exemptions to strong user authentication in regards to risk analysis as outlined in question 7. However, exemptions should be applicable to all market players equally and where appropriate.9. Are there any other criteria or circumstances which the EBA should consider with respect to transaction risks analysis as a complement or alternative to the criteria identified in paragraph 45?
The criteria identified in paragraph 45 in order to describe the criteria for transaction risk analysis seem reasonable to us. It is, however, important that the criteria are not exhaustive, but are left open in order to allow for technological developments and progress over time. Furthermore, it is dangerous to limit the criteria to certain listed information as this could also be misused by those acting with negative intent.The forthcoming regulatory technical standards must also allow for new solutions which fall outside of the definition of strong authentication, but achieves equal or better results (without putting more risk or liability on the PSU). This mechanism could be a standalone exemption criteria. This is in line with section 18 of the discussion paper - and fundamental to ensure that the rules promote instead of hamper innovation. A potentially helpful way to address this issue would be for the EBA to consider providing clarification in its future regulatory technical standards as to which kind of capabilities and minimum set of information are required for such tools reliably to evaluate the risk of a transaction. The definition of the minimum set of information required should be left open to technological developments and progress over time.
To clarify therefore that (a)-(c) is non-exhaustive in paragraph 45, an item “(d)” could be added to state “or other data, information or method relevant for the risk analysis” (or similar wording).
10. Do you consider the clarification suggested regarding the protection of users personalised security credentials to be useful?
N/A to Klarna AB11. What other risks with regard to the protection of users’ personalised security credentials do you identify?
N/A to Klarna AB12. Have you identified innovative solutions for the enrolment process that the EBA should consider which guarantee the confidentiality, integrity and secure transmission (e.g. physical or electronic delivery) of the users’ personalised security credentials?
N/A to Klarna AB13. Can you identify alternatives to certification or evaluation by third parties of technical components or devices hosting payment solutions, to ensure that communication channels and technical components hosting, providing access to or transmitting the personalised security credential are sufficiently resistant to tampering and unauthorized access?
N/A to Klarna AB14. Can you indicate the segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur at present and in the foreseeable future?
N/A to Klarna AB15. For each of the topics identified under paragraph 63 above (a to f), do you consider the clarifications provided to be comprehensive and suitable? If not, why not?
N/A to Klarna AB16. For each agreed clarification suggested above on which you agree, what should they contain in your view in order to achieve an appropriate balance between harmonisation, innovation while preventing too divergent practical implementations by ASPSPs of the future requirements?
N/A to Klarna AB17. In your opinion, is there any standards (existing or in development) outlining aspects that could be common and open, which would be especially suitable for the purpose of ensuring secure communications as well as for the appropriate identification of PSPs taking into consideration the privacy dimension?
As a principle, the regulatory technical standards should be technically neutral and agnostic. They should promote an open and secure global technical framework equal for all relevant parties. HTTPS, SSL and TLS standards are examples of omnipresent solutions that delivers a proven technical standard for the purpose of “identification, authentication, notification and information, as well as for the implementation of security measures”, according to Art. 98 (1d) PSD2.In this regard, we would refer the EBA to Sofort GMBH position which notes the value in particular of HTTPS. Indeed, Sofort has been using this open standard for over 10 years to securely and successfully carry out PIS for consumers across Europe. Klarna would endorse HPPTS for use under the Common and Open Standards of Communication as it supports the goals of PSD II. Furthermore, we would support Sofort in its request that the requirements the EBA will develop will exclude standards that that are neither common nor open and restrict the functionality of PIS and AIS .
Indeed, Klarna fully supports the integration of payment integration services (PIS) such as Sofort and account integration services (AIS) within the Payment Services Directive II - Directive 2015/2366. It is vital that market players hold the credibility and robustness that regulation offers in order to ensure consumers see players such as SOFORT as trustworthy and reliable. It is equally vital that PIS compete on the same terms as other players in the market in order to drive efficiency, competition and innovation. More specifically, it is important PIS can rely on the authentication procedures as used by banks and equally apply any exemptions to the strong customer authentication requirement also to PIS and AIS. Klarna believes that the revised Payment Services Directive, incorporating new players such as SOFORT, once in place will support the advancement of a competitive, dynamic, open and secure payments market in Europe securing the role of European start-ups, innovators, incumbents and incoming players in Europe’s payments space and providing a direct and strong competition for incoming players from other markets such as the USA and China.