Response to discussion on RTS on strong customer authentication and secure communication under PSD2
Go back
One may also consider biometrical theft. You can easily replace a stolen card or a password but you cannot change or replace your fingerprints.
Another aspect could be: Is it enough to fulfill strong authentication on basis of signature combined with biometrical elements like pressure and speed. Signature = knowledge of signature + handwriting + biometrical reference (pressure and speed)
Art 74 (2) PSD II is sufficient in describing exemptions since it allows companies to independently offer a multitude of different services “based on own risk consideration”. This is a core issue in regard to competition and innovation.
Any list of exclusions would be a minus to market development and innovation. If there is a need to introduce a list, then this list shall not be final - only explanatory.
Also consider to provide the possibility of risk settings on the customer side. The customer might want to carry a little more manageable risk in benefit to usability. I.e. settings enabling NFC-payments up to 100 € without PIN.
Customer choice and risk management is also applied in xs2a which enables the customer to take decisions towards usability by giving access to his account information.
If a list of exceptions is included, then it should leave enough room for yet unforeseen developments.
In general, there should be the principle: The entity that does the analysis should decide also on the risk measures and should also bear the financial consequences of the risk decision.
Proper transaction analysis and risk-management should enable the PSP to offer payment initiation also without strong authentication and without a liability shift. This kind of risk-management is widely used in card payments based on the customer behavior and other backend tools.
If card-issuers would also be obliged to open up the use of CHIP&PIN (together with an open read-out of the IBAN) at a minimum to PSPs like PIS / AIS providers, then these PSPs would be able to address the account of the card-holder fully secured by the cardholder and the CHIP & PIN-technology and enables the market to develop new payment-products in the sense of the PSD2.
If for any reason storing the IBAN in a payment-card is not feasible, it should be taken under consideration to set the proper conditions to make sure that xs2a is also available through EMV Chip & PIN in the conception of DCSI by making it possible to directly address the account from the data already stored in the EMV Chip – so that the IBAN can be collected at the account.
Banks already ident their customers. With the corresponding banking-card the customer has a very secure authentication tool. The EMV-Chip & PIN standard provides strong authentication via knowledge (PIN) + possession (the card/chip) Within DCSI CHIP & PIN in addition to xs2a could provide the interface and API for e-ID services.
1. With respect to Article 97(1) (c), are there any additional examples of transactions or actions implying a risk of payment fraud or other abuses that would need to be considered for the RTS? If so, please give details and explain the risks involved.
Payment fraud can occur also with fraudulent merchants. For acquirers merchant service providers, professional merchant fraud among smaller merchants can be very difficult to detect fast.One may also consider biometrical theft. You can easily replace a stolen card or a password but you cannot change or replace your fingerprints.
2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?
A card – but also card data in a secured element of a smart phone, or a token in a secured environment .Especially for the POS-environment we recommend the use of the established EMV-Chip & PIN of the (debit) payment-cards. This given facility on every (debit-)payment-card in the EU should be opened up for use not only in the card-system to authorize the card-payment-trx. This access should be granted to be used in the context of SCA (at the POS), also.Another aspect could be: Is it enough to fulfill strong authentication on basis of signature combined with biometrical elements like pressure and speed. Signature = knowledge of signature + handwriting + biometrical reference (pressure and speed)
4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?
Is the physical mobile device and a fingerprint ID on this device independent? – this should be clarified considering also regulatory trends in the Americas (e.g. USA) and Asia (e.g. Singapore).7. Do you consider the clarifications suggested regarding the potential exemptions to strong customer authentication, to be useful?
Who defines what “low risk” is? – The acceptable risk appetite can vary strongly between merchant codes, products, delivery addresses, transaction frequencies, transaction amounts, and among payers from different countries (e.g. Italy vs. Finland).Art 74 (2) PSD II is sufficient in describing exemptions since it allows companies to independently offer a multitude of different services “based on own risk consideration”. This is a core issue in regard to competition and innovation.
Any list of exclusions would be a minus to market development and innovation. If there is a need to introduce a list, then this list shall not be final - only explanatory.
Also consider to provide the possibility of risk settings on the customer side. The customer might want to carry a little more manageable risk in benefit to usability. I.e. settings enabling NFC-payments up to 100 € without PIN.
Customer choice and risk management is also applied in xs2a which enables the customer to take decisions towards usability by giving access to his account information.
8. Are there any other factors the EBA should consider when deciding on the exemptions applicable to the forthcoming regulatory technical standards?
EBA should consult also the EU competition authorities and major market participants on the market effects of any specific exception.If a list of exceptions is included, then it should leave enough room for yet unforeseen developments.
9. Are there any other criteria or circumstances which the EBA should consider with respect to transaction risks analysis as a complement or alternative to the criteria identified in paragraph 45?
In a typical multiparty card system, who shall do the transaction analysis – only the issuer, any service provider in between, only the acquirer – or all entities individually?In general, there should be the principle: The entity that does the analysis should decide also on the risk measures and should also bear the financial consequences of the risk decision.
Proper transaction analysis and risk-management should enable the PSP to offer payment initiation also without strong authentication and without a liability shift. This kind of risk-management is widely used in card payments based on the customer behavior and other backend tools.
14. Can you indicate the segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur at present and in the foreseeable future?
In many modern technical payment architectures, the weakest segment seems to be the payment service user, which means that the consumer might give away intentionally or unintentionally any PINs, Tans or passwords to the wrong recipients (social engineering, man in the middle attaks & more).15. For each of the topics identified under paragraph 63 above (a to f), do you consider the clarifications provided to be comprehensive and suitable? If not, why not?
It should be further clarified, if and how these open standards shall apply also in the card business.17. In your opinion, is there any standards (existing or in development) outlining aspects that could be common and open, which would be especially suitable for the purpose of ensuring secure communications as well as for the appropriate identification of PSPs taking into consideration the privacy dimension?
In the EU we already have on each (debit-) payment-card the EMV-Chip & PIN technology available – already rated as SCA-compliant. In order to enable direct access to the card-underlying account or PSC, it should be considered to additionally store the account-number (IBAN) in each of these (debit)-payment-cards (in the card-chip-memory-store), as the IBAN is the well-established SEPA-wide unique account-ident-number. This should be decided to be obligatory for each Issuer of a (debit-) payment-card in the EU.If card-issuers would also be obliged to open up the use of CHIP&PIN (together with an open read-out of the IBAN) at a minimum to PSPs like PIS / AIS providers, then these PSPs would be able to address the account of the card-holder fully secured by the cardholder and the CHIP & PIN-technology and enables the market to develop new payment-products in the sense of the PSD2.
If for any reason storing the IBAN in a payment-card is not feasible, it should be taken under consideration to set the proper conditions to make sure that xs2a is also available through EMV Chip & PIN in the conception of DCSI by making it possible to directly address the account from the data already stored in the EMV Chip – so that the IBAN can be collected at the account.
19. Do you agree that the e-IDAS regulation could be considered as a possible solution for facilitating the strong customer authentication, protecting the confidentiality and the integrity of the payment service users’ personalised security credentials as well as for common and secure open standards of communication for the purpose of identification, DP on future RTS on strong customer and secure communication under PSD2 31 authentication, notification, and information? If yes, please explain how. If no, please explain why.
In the past 20 years, many e-ID services and e-ID projects to consumers in Europe were a commercial flop. Somme banking e-ID-services especially in Scandinavia were considered to be successful. A better worldwide analysis on the success factors should be performed, before any regulatory action should be considered.Banks already ident their customers. With the corresponding banking-card the customer has a very secure authentication tool. The EMV-Chip & PIN standard provides strong authentication via knowledge (PIN) + possession (the card/chip) Within DCSI CHIP & PIN in addition to xs2a could provide the interface and API for e-ID services.