Response to discussion on RTS on strong customer authentication and secure communication under PSD2
Go back
However, Visa Europe would like to draw the attention of the EBA towards the non-electronic means of payment that do not fall under the scope of PSD2.
Visa Europe supports the exemptions of PSD2 and the future Regulatory Technical Standards, these exemptions are essential for the development of innovative and more convenient systems of authentication. Nevertheless, there are a large number of basic payment systems with high risks, e.g. cash on delivery, paper invoices, cheques etc., which because of their simplicity of use or their legacy nature do not fall under the scope of PSD2 and thus, under the mandates relating to authentication. In this context, Visa Europe believes that there is a risk of re-emergence of these basic systems based on paper solutions that could be used to circumvent regulation. This would be to the detriment of all consumers.
Accordingly, Visa Europe would suggest that the EBA instructs the National Regulators and Supervisors to monitor non-electronic transactions in the supervision of the compliance with the authentication Regulatory Technical Standards.
In the opinion of Visa Europe, the definition of possession elements in the Regulatory Technical Standards should include both, physical devices and data.
Regarding the use of physical devices, the Regulatory Technical Standards should remain open in order to allow different types of solutions. The use of tokens that generate the so-called “one-time passwords” (by reading for example a chip on a card or a QR code) is a popular solution in certain EU countries, but it is not the only solution available (e.g. devices allowing biometrics). Hence, the Regulatory Technical Standards should refrain from mandating the use of a token as the only valid solution.
In the opinion of Visa Europe, the use of data will be a key element in the future of authentication. Accordingly, device-based data related to information about the desktop, mobile or tablet can be used as an element of possession. In addition, data-based profiling will be core for the risk analysis of a transaction (where the customer is spending, with whom, via what channel, for how much etc.)
Visa Europe fully supports the objective of maintaining the privacy of customers when making payments. Accordingly, the data used for the authentication process should only be used for the purposes of authentication. Visa Europe believes that strict compliance with data protection regulations already in place ensures that the information of the payment services user is lawfully used.
In the Risk Based Authentication approach that Visa Europe promotes, behaviour-based characteristics are the key element. Risk Based Authentication is based on assessing and contextualising data coming from different sources that, when properly correlated e.g. linking the device data (IP address, device serial number, etc.) with customer and merchant transaction history provides very secure customer authentication. In the opinion of Visa Europe, this type of authentication is more accurate than relying on a single piece of data, even if generated by a physical device (i.e. a token).
The Regulatory Technical Standards should leave open the conditions under which behaviour-based characteristics can be used. In the opinion of Visa Europe, it would be impossible to accurately define such conditions, since transactions need to be assessed on a case by case basis. As such, a merchant selling highly desirable digital services (e.g. online access to gambling) is different from merchant selling flowers on the internet. The risks are different and thus the controls applied do not need to be comparable, both can provide very similar performance despite having far more simplistic systems, because the scale, sophistication and threats in the markets are not identical.
- Card Authentication Method: the means by which we determine whether the device used to initiate the transaction is indeed genuine (e.g. at a face-to-face point of sale it would be the chip);
- Customer Verification Method: how the customers authenticates they are the true owner of the device used to initiate the transaction (e.g. in a transaction with a chip card, this would be the PIN code);
- Authorisation process: whether the transaction details are available real time to validate the device is authorised to transact, funds are available and the behaviour of the customer is in line with profile.
Accordingly, the independence of the channel is only one of multiple parameters to be taken into account when assessing the risk of a payment transaction.
In the opinion of Visa Europe, the Regulatory Technical Standards should take into account the three aspects of the authentication, and refrain from simplifying Strong Customer Authentication into a combination of the authentication of the payment instrument (e.g. the card) and the customer verification methods. What makes a transaction truly secure is the interaction of all three of above-mentioned elements which in most cases is more complex than complying with the definition of Strong Customer Authentication as a two factor authentication.
One example of this interaction that specifically addresses the challenge of independence of authentication elements is an authentication based on a one-time-password (OTP) received in a stolen phone. In this case a two factor authentication becomes de facto one. However, if the device relies on an unlock code only known by the customer, the core security principles (have and known) are retained. In addition, even if both elements (the phone and the OTP) are compromised, Visa’s authorisation process will prevent attempts to transact with payment instruments that have been reported as lost or stolen.
Therefore, in the opinion of Visa Europe, the draft Regulatory Technical Standards should not prescribe the use of a specific approach, but should incentivize the use of innovative and customer-friendly authentication that can fulfil the objective of securing payment transactions. The draft Regulatory Technical Standards should also reflect that the effective way to monitor the security of the payment transactions should be based on performance and not on compliance with strict definitions of the elements of the authentication.
For Visa Europe establishing a link with the amount and the payee does not represent a challenge. Both the current and the newest versions or our platform for authentication of e-commerce transaction (3DSecure 2.0) include this feature.
3DSecure 2.0, available for e-commerce – transactions with a PC browser, e- and m-commerce – transactions on online commerce performed via a mobile device, provides the necessary data to enable the PSP issuer of the Visa card to perform Risk Based Authentication. Accordingly, in the authentication process the PSP issuer of the Visa card receives information about the Visa cardholder device (mobile/tablet/desktop PC browser) and from the merchant. The PSP issuer of the card decides, based on that information, whether an additional level of authentication is required (e.g. a two factor authentication in the sense of PSD2). This provides an optimal experience for all the parties involved, where the payer (the Visa cardholder) would be required to perform additional authentication only if it is deemed appropriate.
The information that the PSP issuer of the card receives includes the amount of the transaction and the name of the retailer. In addition, it also includes the date and exact time, the currency and the country of the merchant. The PSP issuer of the card is free to transmit this information to the Visa cardholder prior to the confirmation of the payment.
Mandating specific elements to be taken into account in the risk assessment would be equivalent to prescribing the use of a specific solution or system. In order to respect the principle of technological neutrality that governs PSD2, in the opinion of Visa Europe, the Regulatory Technical Standards should stay away from mandating any specific system.
Visa Europe believes that the effective way to monitor whether the risk assessment is effective should be based on the performance of the actors involved in the payments chain, and not on evaluating the system capability to analyse an exhaustive list of elements. Visa Europe has witnessed many situations where entities have deployed strong detection capabilities, but have not deployed the best contact, operational support or management strategies. As a result, even if the system in place was optimal, the performance was poor.
In addition, the Regulatory Technical Standards should specify that the assessment of risk can also be performed on the “acquiring side” of the payment transaction (i.e. by the merchants and/or their payment service providers). In such cases, the elements of the risk assessment would be different from those used by the issuers and hence, different from those included in the clarifications.
It is also important to be mindful of the importance of consumer convenience when defining the Regulatory Technical Standards and exemptions as preventing fraud at the expense of growing the e-commerce market is counterproductive.
In the opinion of Visa Europe, the Regulatory Technical Standards should ensure that enough flexibility is allowed in the performance of the risk analysis of a payment transaction. Accordingly, the stakeholders involved in the transaction (PSPs – issuer and acquirer – and/or the merchant) should be able to perform the risk analysis based on different data, model capability deployment model, remediation strategy, etc.
The Regulatory Technical Standards should expressly acknowledge the importance of consumer convenience in the process of authentication, which is a key driver for the increase of electronic payment transactions and, specifically, for e-commerce growth. In this sense, the Regulatory Technical Standards should acknowledge that it is possible to comply with the Strong Customer Authentication requirements through processes that eliminate any potential friction in the authentication while preserving security. For example, by using data about the device (device ID) and behavioural profiling an authentication can be performed using the core principles of possession (the device) and inherence (behavioural data). In addition, an opportunity to uplift authentication where high risk behaviour is observed is always provided.
In the opinion of Visa Europe, if the objective of the Regulatory Technical Standards is to establish the framework to protect e-banking personalized security credentials for the access to payment by third parties, this should be clearly indicated.
It should be noted that, in the cards business credentials allocation is routinely used (PIN issuance, password, provision, card distribution). Visa has strict requirements about the security of card data based upon Payment Card Industry Data Security Standards (PCI-DSS). PCI-DSS represents a global set of minimum standards that all parties processing payment card data (merchants, acquirers, issuers and schemes) are expected to work to in order to limit the risk of data compromise. Entities that fail to work to PCI-DSS standards may be subject to payment system penalties if they are subject to a data breach. For clarity, Visa Europe also remains fully compliant with this standard.
In conclusion, Visa Europe does not believe that security in relation to personalised security credentials for card-based payments needs regulatory intervention in the Regulatory Technical Standards.
Visa Europe believes that credentials for card payments have an appropriate level of protection that does not require further regulatory intervention.
1. With respect to Article 97(1) (c), are there any additional examples of transactions or actions implying a risk of payment fraud or other abuses that would need to be considered for the RTS? If so, please give details and explain the risks involved.
Visa Europe considers that the Discussion Paper properly covers the most relevant electronic transactions. Accordingly, there are no other types of electronic transactions or actions that, in the opinion of Visa Europe, need to be included in the Regulatory Technical Standards.However, Visa Europe would like to draw the attention of the EBA towards the non-electronic means of payment that do not fall under the scope of PSD2.
Visa Europe supports the exemptions of PSD2 and the future Regulatory Technical Standards, these exemptions are essential for the development of innovative and more convenient systems of authentication. Nevertheless, there are a large number of basic payment systems with high risks, e.g. cash on delivery, paper invoices, cheques etc., which because of their simplicity of use or their legacy nature do not fall under the scope of PSD2 and thus, under the mandates relating to authentication. In this context, Visa Europe believes that there is a risk of re-emergence of these basic systems based on paper solutions that could be used to circumvent regulation. This would be to the detriment of all consumers.
Accordingly, Visa Europe would suggest that the EBA instructs the National Regulators and Supervisors to monitor non-electronic transactions in the supervision of the compliance with the authentication Regulatory Technical Standards.
2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?
Visa Europe believes that the Regulatory Technical Standards should not include an exhaustive list of examples regarding the “possession elements”. Along with other features of the authentication to be included in the draft Regulatory Technical Standards, the possession elements should be widely defined to allow innovation and technological enhancement. This is in line with PSD2 that requires that the draft Regulatory Standards “ensure technology and business-model neutrality.In the opinion of Visa Europe, the definition of possession elements in the Regulatory Technical Standards should include both, physical devices and data.
Regarding the use of physical devices, the Regulatory Technical Standards should remain open in order to allow different types of solutions. The use of tokens that generate the so-called “one-time passwords” (by reading for example a chip on a card or a QR code) is a popular solution in certain EU countries, but it is not the only solution available (e.g. devices allowing biometrics). Hence, the Regulatory Technical Standards should refrain from mandating the use of a token as the only valid solution.
In the opinion of Visa Europe, the use of data will be a key element in the future of authentication. Accordingly, device-based data related to information about the desktop, mobile or tablet can be used as an element of possession. In addition, data-based profiling will be core for the risk analysis of a transaction (where the customer is spending, with whom, via what channel, for how much etc.)
Visa Europe fully supports the objective of maintaining the privacy of customers when making payments. Accordingly, the data used for the authentication process should only be used for the purposes of authentication. Visa Europe believes that strict compliance with data protection regulations already in place ensures that the information of the payment services user is lawfully used.
3. Do you consider that in the context of “inherence” elements, behaviour-based characteristics are appropriate to be used in the context of strong customer authentication? If so, can you specify under which conditions?
Yes, behaviour-based characteristics are suitable to be considered “inherence elements” in the context of Strong Customer Authentication. In our opinion, these elements provide more flexibility and are more resilient to social engineering (where the customer is persuaded to compromise their own details).In the Risk Based Authentication approach that Visa Europe promotes, behaviour-based characteristics are the key element. Risk Based Authentication is based on assessing and contextualising data coming from different sources that, when properly correlated e.g. linking the device data (IP address, device serial number, etc.) with customer and merchant transaction history provides very secure customer authentication. In the opinion of Visa Europe, this type of authentication is more accurate than relying on a single piece of data, even if generated by a physical device (i.e. a token).
The Regulatory Technical Standards should leave open the conditions under which behaviour-based characteristics can be used. In the opinion of Visa Europe, it would be impossible to accurately define such conditions, since transactions need to be assessed on a case by case basis. As such, a merchant selling highly desirable digital services (e.g. online access to gambling) is different from merchant selling flowers on the internet. The risks are different and thus the controls applied do not need to be comparable, both can provide very similar performance despite having far more simplistic systems, because the scale, sophistication and threats in the markets are not identical.
4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?
For Visa Europe, the challenges for any particular device differ widely depending on use case. Visa traditionally considers “authentication” to be a combination of:- Card Authentication Method: the means by which we determine whether the device used to initiate the transaction is indeed genuine (e.g. at a face-to-face point of sale it would be the chip);
- Customer Verification Method: how the customers authenticates they are the true owner of the device used to initiate the transaction (e.g. in a transaction with a chip card, this would be the PIN code);
- Authorisation process: whether the transaction details are available real time to validate the device is authorised to transact, funds are available and the behaviour of the customer is in line with profile.
Accordingly, the independence of the channel is only one of multiple parameters to be taken into account when assessing the risk of a payment transaction.
In the opinion of Visa Europe, the Regulatory Technical Standards should take into account the three aspects of the authentication, and refrain from simplifying Strong Customer Authentication into a combination of the authentication of the payment instrument (e.g. the card) and the customer verification methods. What makes a transaction truly secure is the interaction of all three of above-mentioned elements which in most cases is more complex than complying with the definition of Strong Customer Authentication as a two factor authentication.
One example of this interaction that specifically addresses the challenge of independence of authentication elements is an authentication based on a one-time-password (OTP) received in a stolen phone. In this case a two factor authentication becomes de facto one. However, if the device relies on an unlock code only known by the customer, the core security principles (have and known) are retained. In addition, even if both elements (the phone and the OTP) are compromised, Visa’s authorisation process will prevent attempts to transact with payment instruments that have been reported as lost or stolen.
Therefore, in the opinion of Visa Europe, the draft Regulatory Technical Standards should not prescribe the use of a specific approach, but should incentivize the use of innovative and customer-friendly authentication that can fulfil the objective of securing payment transactions. The draft Regulatory Technical Standards should also reflect that the effective way to monitor the security of the payment transactions should be based on performance and not on compliance with strict definitions of the elements of the authentication.
5. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to dynamic linking?
In the context of card payments, Visa Europe believes that the link with the amount and the payee is useful information for the payer (the Visa cardholder) when confirming a specific payment transaction. However, Visa Europe does not consider that this information needs to be provided in the process of the authentication for every transaction. As already explained, Visa Europe advocates the deployment of Risk Based Authentication which provides a high level of security while ensuring consumer convenience. In Risk Based Authentication, information on the amount and the payee would only need to be transmitted to the payer (the Visa cardholder) in transactions that are deemed to present risk.For Visa Europe establishing a link with the amount and the payee does not represent a challenge. Both the current and the newest versions or our platform for authentication of e-commerce transaction (3DSecure 2.0) include this feature.
3DSecure 2.0, available for e-commerce – transactions with a PC browser, e- and m-commerce – transactions on online commerce performed via a mobile device, provides the necessary data to enable the PSP issuer of the Visa card to perform Risk Based Authentication. Accordingly, in the authentication process the PSP issuer of the Visa card receives information about the Visa cardholder device (mobile/tablet/desktop PC browser) and from the merchant. The PSP issuer of the card decides, based on that information, whether an additional level of authentication is required (e.g. a two factor authentication in the sense of PSD2). This provides an optimal experience for all the parties involved, where the payer (the Visa cardholder) would be required to perform additional authentication only if it is deemed appropriate.
The information that the PSP issuer of the card receives includes the amount of the transaction and the name of the retailer. In addition, it also includes the date and exact time, the currency and the country of the merchant. The PSP issuer of the card is free to transmit this information to the Visa cardholder prior to the confirmation of the payment.
6. In your view, which solutions for mobile devices fulfil both the objective of independence and dynamic linking already today?
Risk Based Authentication solutions using multiple data points coming from different sources (device information, transaction history, velocity checks, merchant category, shipment address etc.) and not relying on a single device specific authentication do already fulfil the objective of independence and dynamic linking. In fact the compromising of one data element (e.g. the mobile device) will most probably not be sufficient to defraud the system as the other parameters considered by the Risk Based Authentication system will fail.7. Do you consider the clarifications suggested regarding the potential exemptions to strong customer authentication, to be useful?
In the opinion of Visa Europe, the clarifications provided in the Discussion Paper are useful examples of the type of data that could be collected by the issuer of a payment card to effectively assess the risk of a transaction. However, the Regulatory Technical Standards should clearly indicate that these clarifications should not be interpreted as strict requirements.Mandating specific elements to be taken into account in the risk assessment would be equivalent to prescribing the use of a specific solution or system. In order to respect the principle of technological neutrality that governs PSD2, in the opinion of Visa Europe, the Regulatory Technical Standards should stay away from mandating any specific system.
Visa Europe believes that the effective way to monitor whether the risk assessment is effective should be based on the performance of the actors involved in the payments chain, and not on evaluating the system capability to analyse an exhaustive list of elements. Visa Europe has witnessed many situations where entities have deployed strong detection capabilities, but have not deployed the best contact, operational support or management strategies. As a result, even if the system in place was optimal, the performance was poor.
In addition, the Regulatory Technical Standards should specify that the assessment of risk can also be performed on the “acquiring side” of the payment transaction (i.e. by the merchants and/or their payment service providers). In such cases, the elements of the risk assessment would be different from those used by the issuers and hence, different from those included in the clarifications.
It is also important to be mindful of the importance of consumer convenience when defining the Regulatory Technical Standards and exemptions as preventing fraud at the expense of growing the e-commerce market is counterproductive.
8. Are there any other factors the EBA should consider when deciding on the exemptions applicable to the forthcoming regulatory technical standards?
As previously mentioned, the risks of a transaction vary widely depending on a number of factors (from location of the merchant and the PSPs involved in the transaction to the type of goods or services offered by the merchant). Accordingly, for optimal management of the risks, not all transactions can be subject to the same controls.In the opinion of Visa Europe, the Regulatory Technical Standards should ensure that enough flexibility is allowed in the performance of the risk analysis of a payment transaction. Accordingly, the stakeholders involved in the transaction (PSPs – issuer and acquirer – and/or the merchant) should be able to perform the risk analysis based on different data, model capability deployment model, remediation strategy, etc.
The Regulatory Technical Standards should expressly acknowledge the importance of consumer convenience in the process of authentication, which is a key driver for the increase of electronic payment transactions and, specifically, for e-commerce growth. In this sense, the Regulatory Technical Standards should acknowledge that it is possible to comply with the Strong Customer Authentication requirements through processes that eliminate any potential friction in the authentication while preserving security. For example, by using data about the device (device ID) and behavioural profiling an authentication can be performed using the core principles of possession (the device) and inherence (behavioural data). In addition, an opportunity to uplift authentication where high risk behaviour is observed is always provided.
9. Are there any other criteria or circumstances which the EBA should consider with respect to transaction risks analysis as a complement or alternative to the criteria identified in paragraph 45?
The Regulatory Technical Standards should not incorporate an exhaustive list of elements regarding the risk assessment of a transaction. Instead, the Regulatory Technical Standards should set out that the stakeholders (PSPs and/or merchants) should assess the risk of the transaction based on the performance. As previously indicated, risks vary depending on a number of factors (e.g. the location of the merchant and/or the PSPs or the goods or services provided by the merchant). The Regulatory Technical Standards need to acknowledge that the controls can and need to be different depending on the conditions of the transaction and that compliance with the mandate to perform a risk assessment has to be based on monitoring the performance of the stakeholders involved in the transaction, ensuring that all necessary measures are taken to prevent fraud, while preserving to the maximum extent the customers’ convenience.10. Do you consider the clarification suggested regarding the protection of users personalised security credentials to be useful?
Further clarification from the European Banking Authority is required, in order to understand to what extent the security of the credential wants to be brought under the Regulatory Technical Standards. This chapter seems to be oriented to e-banking credentials in the context of access to payment accounts for the provision by third parties of “payment initiation” and “account information” services created by PSD2.In the opinion of Visa Europe, if the objective of the Regulatory Technical Standards is to establish the framework to protect e-banking personalized security credentials for the access to payment by third parties, this should be clearly indicated.
It should be noted that, in the cards business credentials allocation is routinely used (PIN issuance, password, provision, card distribution). Visa has strict requirements about the security of card data based upon Payment Card Industry Data Security Standards (PCI-DSS). PCI-DSS represents a global set of minimum standards that all parties processing payment card data (merchants, acquirers, issuers and schemes) are expected to work to in order to limit the risk of data compromise. Entities that fail to work to PCI-DSS standards may be subject to payment system penalties if they are subject to a data breach. For clarity, Visa Europe also remains fully compliant with this standard.
In conclusion, Visa Europe does not believe that security in relation to personalised security credentials for card-based payments needs regulatory intervention in the Regulatory Technical Standards.
11. What other risks with regard to the protection of users’ personalised security credentials do you identify?
As explained in the previous question, security credentials of Visa cards are protected through very strict internal processes and policies (implemented by Visa Europe and the PSPs issuing Visa cards), along with compliance with the international standards PCI-DSS.Visa Europe believes that credentials for card payments have an appropriate level of protection that does not require further regulatory intervention.