Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
– based on pki technology standards
– places risk control at its source
– allocates liability by contractual framework
– provides system-wide risk management
– and a platform for finanical institutions and other providers to develop replicable solutions from bank-to-business, business-to-business and consumer-to-consumer
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
Yes, IdenTrust can see benefit in the requirements for strong customer authentication. However, the provisions proposed in Chapter 1 appear to have a solution in mind, and digital signatures seem to be excluded from the solution outcome. It is not clear why eIDAS is considered at the website certificates level, but not at the natural person level. Equally it is not clear how interoperability will be achieved. Digital signatures can meet the knowledge and possession requirements; proves and establishes identity; delivers non-repudiation; combats frauds; provides audit and compliance tracking; guarantees privacy; ensures data integrity; eliminates man-in-the-middle attacks; provides legally binding user-level signatures and can be used in multiple applications. The signatures can be validated in real time by the relying party. With the number of parties involved at any one time, the relying party will change through the transaction flow and identification, and authentication, between account servicing payment service providers, payment initiation service providers, account information service providers, payers, payees and other payment service providers then real time validation at the point of reliance is critical. The inter-party liability provisions do not seem to have been addressed. An end-to-end secure payment system underpinned by using digital signatures with a risk management and liability framework could help provide this.Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
Yes, IdenTrust believes that the dynamic linking should be a feature of the application rules and channel. However, as a practical matter, we believe that a customer will initiate the payment within the application on the same device, and if this segregation/independence test is taken forward, then customer experience will be poor and could be a barrier to adoption.Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
It is not clear that brute force attack has been considered.Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
No, IdenTrust do not agree. It seems to be a blunt instrument and crude mitigation to the lack of a liability model and agreed dispute resolution regime, and does not allow the parties to take risk-managed decisions on the transactions involved. If caps are introduced, what is the mechanism for managing change of those caps going forward?Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
See Q4 responseQuestion 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?
Yes, IdenTrust agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, but we do not agree with the resultant provisions provided in Chapter 3. If the authentication procedure will remain fully in the sphere of competence of the ASPSP, then they need to be in control of the provision of the PSUs credentials, which will be an existing BAU process. This Chapter and Articles seem imbalanced and rather than outcome based are too prescriptive.Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?
Yes, IdenTrust agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information. However, we do believe that for interoperability then Chapter 4 should define the detail of communication interface/or provide for its definitionQuestion 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?
The use of ISO20022 elements is a worthy intent, but specificity is required. Whilst this is an industry standard, if the message types do not exist today they need to be defined and agreed. If they do agree today, then the message identifiers and elements to be used needs to be documented in this RTS standard.Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?
As eIDAS seeks to enhance trust in electronic transactions in the EU's internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities cross-borders, in order to increase the effectiveness of public and private online services, electronic business and electronic commerce in the Union, then it is understandable that this has been considered to provide the mutual trust between PSPs. The challenge will be that supervisory bodies and accreditation regimes need to be implemented in order for Trust Service Providers to register and be accredited. The timelines will be tight, and IdenTrust believe that Option 4.2.2 (Allow identification via certificates issued by a General Certificate Authority) should be explored in parallel.Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.
Unless the customer has given their explicit consent" to that access, then IdenTrust believes that there should be zero frequency permitted."Please select which category best describes you and/or your organisation
[Other "]"If you selected "Other", please provide details
IdenTrust provide a global borderless trust network that is– based on pki technology standards
– places risk control at its source
– allocates liability by contractual framework
– provides system-wide risk management
– and a platform for finanical institutions and other providers to develop replicable solutions from bank-to-business, business-to-business and consumer-to-consumer