Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
ACCIE’s view on the general detrimental impact of the proposed RTS on the European payments sector
Payment security is about striking the right, delicate balance between security and consumer convenience. Experience shows that the slightest improvement in consumer convenience (such as a One-Time-Password instead of a static password) significantly increases the number of authorised transactions (less abandoned carts) with a positive effect for both consumers (improved consumer experience) and merchants (increased turnover). When developing new products, issuers and merchants work together in creating a balance between consumer convenience and a high level of security. By doing so they are continuously raising the standards for security and consumer experience.
A risk-based approach is of vital importance for the sector to be able to apply less stringent customer authentication procedures to low risk transactions. This results in more payment convenience for consumers (less actions necessary to complete payment). At the same time, high risk transactions are subject to the highest standards of customer authentication.
Applying a risk-based approach provided a boost to the development of innovative payment solutions such as contactless payment, one-click buying and in-App payments. These solutions have significantly increased the number of authorised transactions and have increased consumer convenience. This has contributed tremendously to the development of the European Digital Single Market (DSM), strengthening the competitiveness of the European payment and e-commerce sector.
Applying the draft RTS to the European market will hamper innovation and the development of new payment solutions. Imposing SCA irrespective of the actual risk associated with the transaction does not allow for consumer friendly and innovative payment solutions as contactless payment and one-click-buying. At the same time, millions of seamless (recurring) payment experiences offered, such as within iTunes, Netflix, or Spotify, will no longer be possible in the manner we experience them today. Instead of offering EU consumers the seamless experiences they want and expect, they will be faced with SCA driven, superfluous challenges to complete a payment. This would be an immense step backwards in the development of the European DSM and will deteriorate the competitiveness of the European payment sector.
ACCIE understands the importance of SCA for completing transactions with a high risk of fraudulent activity, but believes the application of SCA should be limited only to high risk transactions. Applying SCA to the majority of transactions, irrespective of their actual risk, as proposed in EBA's daft RTS, will significantly reduce the possibilities for innovation in the payment sector and will negatively impact consumer convenience.
The current RTS does not allow for individual risk analysis by PSPs to determine whether SCA should be applied. ACCIE therefore calls on the EBA to amend the RTS to allow for the application of a risk based approach to determine if SCA should be applied to a transaction, in accordance with Article 98(2)(a) of the Revised Payment Service Directive (PSD2). This would also call for harmonised criteria for risk analysis of payment transactions (for example by determining fraud thresholds)., which should be developed in cooperation with the European payment sector. This is not an easy task, but ACCIE believes this to be the only way to create a user-friendly, accessible, secure and innovative payment sector in Europe.
ACCIE’s specific feedback on Q1
We believe the draft RTS should provide more clarification with regard to which card based transactions would fall under the scope of the EBA's draft RTS.
Opposed to non-card based payments, we believe card based payments should not be caught within the scope of Article 97(1)(b) and be determined as an electronic payment transaction initiated by a payer. A card transaction is initiated when the payer presents their card to the merchant who as payee then initiates the transaction via their merchant acquirer. Hence, card payments are payee initiated and therefore not caught within this provision and should therefore also be outside the scope of the draft RTS.
If some card payments are caught within the scope of Article 97(1)(c) then it is only to the extent that a remote card payment is carried out. As a result, any card present transactions (including contactless tap and pay) should therefore be out of scope of the draft RTS.
In the draft RTS it remains unclear whether card payments made using a telephone would fall under Article 97(1)(c). Since telephones are not directly linked to on line or internet transactions, it remains unclear whether the use of a telephone to complete transactions would be considered as using a remote channel and would therefore require SCA. ACCIE believes that transactions that make use of a telephone should fall outside the scope of the draft RTS.
With regard to the segregation of devices in order to separate authentication and authorization, we strongly believe this provision will have an unintended negative impact on the way consumers experience payment processes and is not a precondition for a secure and convenient payment process. We therefore urge the EBA to omit this requirement from Article 2(2) of the draft RTS.
The EBA has indicated that it was unable to identify which minimum set of information the RTS should require for a transaction risk analysis to qualify as ground for an exemption. However, ACCIE believes that risk assessment and the application of SCA are inherently linked. Therefore, ACCIE calls on the EBA to develop an independent set of risk assessment criteria in close collaboration with the payment industry and the European Commission. This will enable PSPs to use risk analysis as a determining element on whether to apply SCA, while maintaining fair competition between different payment solutions.
Regarding the exemption listed by the EBA under Article 8(1)(a), the EBA indicated that an exemption from the use of SCA applies when the payer accesses exclusively the information of its payment account online, or the consolidated information on other payment accounts held, without disclosure of sensitive payment data. ACCIE believes this to be a very wide definition since, in almost all cases where customers access their online payment account, this gives them access to sensitive payment data, making this exemption superfluous.
In addition, ACCIE proposes more flexibility regarding the thresholds that are used to determine if an exemption can be applied to a transaction. The current thresholds are set at a very low level and are static. There is no mechanism included to adapt to the rapidly changing payments ecosystem, where technical developments and changes in consumer behaviour and preferences can make the current thresholds outdated. When these thresholds are not up-to-date, they would merely hamper the European payments sector.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
ACCIE, the Association of Credit Card Issuers Europe, welcomes the EBA’s draft Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA). We share the EBA’s vision that the RTS should enable the development of user-friendly, accessible, secure and innovative means of payment. ACCIE welcomes the opportunity to give feedback on the draft RTS, and would like to use this opportunity not only to provide the EBA with feedback on specific elements of the RTS, but also to give an overview of the feared negative implications the proposed RTS can have on the payment sector.ACCIE’s view on the general detrimental impact of the proposed RTS on the European payments sector
Payment security is about striking the right, delicate balance between security and consumer convenience. Experience shows that the slightest improvement in consumer convenience (such as a One-Time-Password instead of a static password) significantly increases the number of authorised transactions (less abandoned carts) with a positive effect for both consumers (improved consumer experience) and merchants (increased turnover). When developing new products, issuers and merchants work together in creating a balance between consumer convenience and a high level of security. By doing so they are continuously raising the standards for security and consumer experience.
A risk-based approach is of vital importance for the sector to be able to apply less stringent customer authentication procedures to low risk transactions. This results in more payment convenience for consumers (less actions necessary to complete payment). At the same time, high risk transactions are subject to the highest standards of customer authentication.
Applying a risk-based approach provided a boost to the development of innovative payment solutions such as contactless payment, one-click buying and in-App payments. These solutions have significantly increased the number of authorised transactions and have increased consumer convenience. This has contributed tremendously to the development of the European Digital Single Market (DSM), strengthening the competitiveness of the European payment and e-commerce sector.
Applying the draft RTS to the European market will hamper innovation and the development of new payment solutions. Imposing SCA irrespective of the actual risk associated with the transaction does not allow for consumer friendly and innovative payment solutions as contactless payment and one-click-buying. At the same time, millions of seamless (recurring) payment experiences offered, such as within iTunes, Netflix, or Spotify, will no longer be possible in the manner we experience them today. Instead of offering EU consumers the seamless experiences they want and expect, they will be faced with SCA driven, superfluous challenges to complete a payment. This would be an immense step backwards in the development of the European DSM and will deteriorate the competitiveness of the European payment sector.
ACCIE understands the importance of SCA for completing transactions with a high risk of fraudulent activity, but believes the application of SCA should be limited only to high risk transactions. Applying SCA to the majority of transactions, irrespective of their actual risk, as proposed in EBA's daft RTS, will significantly reduce the possibilities for innovation in the payment sector and will negatively impact consumer convenience.
The current RTS does not allow for individual risk analysis by PSPs to determine whether SCA should be applied. ACCIE therefore calls on the EBA to amend the RTS to allow for the application of a risk based approach to determine if SCA should be applied to a transaction, in accordance with Article 98(2)(a) of the Revised Payment Service Directive (PSD2). This would also call for harmonised criteria for risk analysis of payment transactions (for example by determining fraud thresholds)., which should be developed in cooperation with the European payment sector. This is not an easy task, but ACCIE believes this to be the only way to create a user-friendly, accessible, secure and innovative payment sector in Europe.
ACCIE’s specific feedback on Q1
We believe the draft RTS should provide more clarification with regard to which card based transactions would fall under the scope of the EBA's draft RTS.
Opposed to non-card based payments, we believe card based payments should not be caught within the scope of Article 97(1)(b) and be determined as an electronic payment transaction initiated by a payer. A card transaction is initiated when the payer presents their card to the merchant who as payee then initiates the transaction via their merchant acquirer. Hence, card payments are payee initiated and therefore not caught within this provision and should therefore also be outside the scope of the draft RTS.
If some card payments are caught within the scope of Article 97(1)(c) then it is only to the extent that a remote card payment is carried out. As a result, any card present transactions (including contactless tap and pay) should therefore be out of scope of the draft RTS.
In the draft RTS it remains unclear whether card payments made using a telephone would fall under Article 97(1)(c). Since telephones are not directly linked to on line or internet transactions, it remains unclear whether the use of a telephone to complete transactions would be considered as using a remote channel and would therefore require SCA. ACCIE believes that transactions that make use of a telephone should fall outside the scope of the draft RTS.
Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
ACCIE agrees with the EBA that the requirements for the ‘dynamic linking’ procedure should be neutral as to when the dynamic linking should take place.With regard to the segregation of devices in order to separate authentication and authorization, we strongly believe this provision will have an unintended negative impact on the way consumers experience payment processes and is not a precondition for a secure and convenient payment process. We therefore urge the EBA to omit this requirement from Article 2(2) of the draft RTS.
Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
At the moment, ACCIE is not aware of any other threats than those identified in Articles 3, 4, and 5 of the draft RTS. However, ACCIE would like to stipulate that maximising security at one end of the ecosystem often leads to more risk or even fraud problems in another area. Both industry and regulators should always be aware and act upon this possible side-effect. Enough leeway for innovation is therefore needed to keep payments security at appropriate levels.Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
Article 97(3)(a) of the PSD2 states that the level of risk involved in the service provided is one of the criteria for exempting certain transactions from applying SCA. ACCIE would like to point out the importance of this statement as a vast part of payments in Europe could be classified as low risk transactions. Applying SCA for these transactions is not necessary and would only lead to reduced consumer convenience. In order to ensure the appropriate use of SCA and to prevent a situation where the cure is worse than the disease, it should be allowed to take the risk level of a transaction into account before determining whether SCA should be applied.The EBA has indicated that it was unable to identify which minimum set of information the RTS should require for a transaction risk analysis to qualify as ground for an exemption. However, ACCIE believes that risk assessment and the application of SCA are inherently linked. Therefore, ACCIE calls on the EBA to develop an independent set of risk assessment criteria in close collaboration with the payment industry and the European Commission. This will enable PSPs to use risk analysis as a determining element on whether to apply SCA, while maintaining fair competition between different payment solutions.
Regarding the exemption listed by the EBA under Article 8(1)(a), the EBA indicated that an exemption from the use of SCA applies when the payer accesses exclusively the information of its payment account online, or the consolidated information on other payment accounts held, without disclosure of sensitive payment data. ACCIE believes this to be a very wide definition since, in almost all cases where customers access their online payment account, this gives them access to sensitive payment data, making this exemption superfluous.
Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
ACCIE strongly believes that PSPs should always have the possibility to apply SCA on transactions that meet the criteria for exemption.In addition, ACCIE proposes more flexibility regarding the thresholds that are used to determine if an exemption can be applied to a transaction. The current thresholds are set at a very low level and are static. There is no mechanism included to adapt to the rapidly changing payments ecosystem, where technical developments and changes in consumer behaviour and preferences can make the current thresholds outdated. When these thresholds are not up-to-date, they would merely hamper the European payments sector.