Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
- In Article 2, Item 2b, it is stated that: The channel, device or mobile application through which the information linking the transaction to a specific amount and a specific payee is displayed shall be independent or segregated from the channel, device or mobile application used for initiating the electronic payment transaction." We understand that, in the situation where a mobile device is used, there should be at least two independent mobile applications: one to initiate the transaction and one to generate the authentication code. But it is unclear to us whether it is possible to use two different apps on the same device. Can you clarify this point?
- In Article 6, are items 3a and 3b both mandatory, or does one suffice? Does item 3a, which requires the implementation of separated trusted execution environments inside multi-purpose devices, implies e.g. using the Trusted Execution Environment on mobile phones to generate the authentication codes?"
- In Article 9, Item 1c, it is stated that secret cryptographic material related to the encryption of the credentials shall be stored in secure and tamper resistant devices and environments. Does this apply to both the backend and the client devices? Can you provide some examples that would be allowed on mobile devices? Is a secure element / TEE required, or can software-only mechanisms be used as well?
- In Article 12, Item b, it is stated that the association via a remote channel of the payment services user’s identity with the personalised security credentials, with a payment instrument and with authentication devices or software shall be performed using the strong customer authentication procedure.” According to us, this is infeasible as it means that the provisioning shall be protected by an OTP, which can only be generated after the provisioning. Can you clarify how to solve this problem practically?"
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
We do generally agree but we would like to submit following feedback and questions:- In Article 2, Item 2b, it is stated that: The channel, device or mobile application through which the information linking the transaction to a specific amount and a specific payee is displayed shall be independent or segregated from the channel, device or mobile application used for initiating the electronic payment transaction." We understand that, in the situation where a mobile device is used, there should be at least two independent mobile applications: one to initiate the transaction and one to generate the authentication code. But it is unclear to us whether it is possible to use two different apps on the same device. Can you clarify this point?
- In Article 6, are items 3a and 3b both mandatory, or does one suffice? Does item 3a, which requires the implementation of separated trusted execution environments inside multi-purpose devices, implies e.g. using the Trusted Execution Environment on mobile phones to generate the authentication codes?"
Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
NAQuestion 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
NAQuestion 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
NAQuestion 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
NAQuestion 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?
We do generally agree but we would like to submit following feedback and questions:- In Article 9, Item 1c, it is stated that secret cryptographic material related to the encryption of the credentials shall be stored in secure and tamper resistant devices and environments. Does this apply to both the backend and the client devices? Can you provide some examples that would be allowed on mobile devices? Is a secure element / TEE required, or can software-only mechanisms be used as well?
- In Article 12, Item b, it is stated that the association via a remote channel of the payment services user’s identity with the personalised security credentials, with a payment instrument and with authentication devices or software shall be performed using the strong customer authentication procedure.” According to us, this is infeasible as it means that the provisioning shall be protected by an OTP, which can only be generated after the provisioning. Can you clarify how to solve this problem practically?"