Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
Article 1.3 (b): In some situations, feedback to the payer on what went wrong can be helpful. For example if the payer enters the wrong PIN for a card transaction, it is common practice to display “Wrong PIN” in the terminal. The article should therefore be revised.
Article 2.2 (b): This article is unclear and can be interpreted to require two physically independent channels. Such interpretation would be very unpractical for consumers and would be a considerable obstacle to solution development. We suggest that it should be clarified that the channel, device or mobile application should be logically independent. Alternatively, the second sentence of Article 2.2 (b) could be deleted.
Question to EBA:
With reference to Article 1, will magnetic stripe card transactions still be allowed under the RTS? May it depend on the Card verification used (e.g. PIN, signature) and/or may it depend on if the magnetic stripe transaction is a fallback from chip?
Rationale 17: Following the logic of recurring credit transfers in Article 8 of the RTS, for recurring card payment transactions, SCA of the payer should only be required for the first transaction. The RTS should be updated to reflect this.
Rationale 52: The RTS in general and the exemptions from SCA should ensure technological neutrality, which the EBA states in rationale 50. This principle should be upheld also for low value payments at point of sale. In the draft RTS EBA state that only contactless electronic payment transactions should be subject to a low value exemption from SCA in order to preserve the high level of security provided by “chip & pin”. This motivation is not logical - contact without PIN transactions cannot be deemed less safe than contactless without PIN. They are equally safe.
We would like to highlight that some of the major card schemes operating in Europe allow for “contact” payment transactions without PIN for small amounts (e.g. vending machines) and also for larger amounts (e.g. parking/tolls). In several cases, such as unattended parking terminals, exemptions on the PIN requirement are also done for security reasons, i.e. in order for the PIN not to be compromised by usage in a physical environment with high visibility.
Therefore, our view is that the exemption from SCA defined in article 8 (b) must be extended to also cover “contact” electronic payment transactions on the condition that the payment instrument used can be securely authenticated. I.e. the word “contactless” should be removed in Article 8.
Rationale 54: EBA do not propose exemptions to SCA based on transaction-risk analysis performed by PSPs. In the view of PNC there should be an option for the PSP of the payer (i.e. the issuer in a card-based payment) to apply exemptions to SCA based on its own risk analysis. In the same way, the exact criteria for such risk analysis should be based on criteria that the payer’s PSP deem relevant in order to reduce fraud and risk to an acceptable level. I.e. the RTS need only to list a number of suggested criteria and not an exhaustive list. Such flexibility would allow for continued innovation in fraud prevention and analysis.
Article 8: Recurring card payments should enjoy the same exemption as recurring credit transfers, as pointed out in our comment to Rationale 17. I.e. paragraph 2 in Article 8 should be updated accordingly:
“(b) the payer initiates online a series of credit transfers or card-based payments with the same amount and the same payee.
The application of strong customer authentication shall not be exempted where the payer initiates the series of credit transfers or card-based payments for the first time or amends the series of credit transfers.”
Article 8.1 (b) and 8.2 (d): In the RTS, EBA has defined fixed amounts in euro for these exemptions. The relative value of a fixed euro amount may be very different in different member states. We therefore propose that the exemptions are updated to allow individual member states to adjust the amounts stated (up or down) based on the price level of the country.
The idea of allowing exemptions from the requirement on SCA, is to allow the possibility for ASPSPs to make payment initiation more convenient for the payers. The underlying assumption being that SCA always creates a hustle or at least a slower payment initiation. With the escalating innovation in customer authentication methods and technology, this is no longer the case, and will be so even less in the future. Many times these new strong authentication methods are more customer-friendly and convenient, than many weak authentication methods like e.g. static passwords. For payment solutions where there is today only a strong customer authentication method offered for all transactions, which is perceived as convenient by the users, there is no need to introduce another weak customer authentication method, that would at the same time be less customer-friendly.
With reference to Article 19, will the issuance of cards with magnetic stripe still be allowed under the RTS?
Article 19.3: PNC would like to highlight that ISO 20022 is not yet widely used in the card payment sector. Therefore we ask EBA to confirm that the requirement concerning ISO20022 only applies between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds.
Article 17: PNC considers the requirement on bilateral identification between customer and acceptance devices in need of a change or at least an explanation. For a card transaction, the identification today is done of the card to the terminal, no reciprocal identification of the terminal is made to the card. If “secure bilateral identification” should be interpreted as mutual authentication, this would create incompatibility with EMV card payments.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
PNC have the following comments to the EBA reasoning:Article 1.3 (b): In some situations, feedback to the payer on what went wrong can be helpful. For example if the payer enters the wrong PIN for a card transaction, it is common practice to display “Wrong PIN” in the terminal. The article should therefore be revised.
Article 2.2 (b): This article is unclear and can be interpreted to require two physically independent channels. Such interpretation would be very unpractical for consumers and would be a considerable obstacle to solution development. We suggest that it should be clarified that the channel, device or mobile application should be logically independent. Alternatively, the second sentence of Article 2.2 (b) could be deleted.
Question to EBA:
With reference to Article 1, will magnetic stripe card transactions still be allowed under the RTS? May it depend on the Card verification used (e.g. PIN, signature) and/or may it depend on if the magnetic stripe transaction is a fallback from chip?
Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
Yes, we agree.Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
No commentsQuestion 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
PNC have the following comments to the EBA reasoning:Rationale 17: Following the logic of recurring credit transfers in Article 8 of the RTS, for recurring card payment transactions, SCA of the payer should only be required for the first transaction. The RTS should be updated to reflect this.
Rationale 52: The RTS in general and the exemptions from SCA should ensure technological neutrality, which the EBA states in rationale 50. This principle should be upheld also for low value payments at point of sale. In the draft RTS EBA state that only contactless electronic payment transactions should be subject to a low value exemption from SCA in order to preserve the high level of security provided by “chip & pin”. This motivation is not logical - contact without PIN transactions cannot be deemed less safe than contactless without PIN. They are equally safe.
We would like to highlight that some of the major card schemes operating in Europe allow for “contact” payment transactions without PIN for small amounts (e.g. vending machines) and also for larger amounts (e.g. parking/tolls). In several cases, such as unattended parking terminals, exemptions on the PIN requirement are also done for security reasons, i.e. in order for the PIN not to be compromised by usage in a physical environment with high visibility.
Therefore, our view is that the exemption from SCA defined in article 8 (b) must be extended to also cover “contact” electronic payment transactions on the condition that the payment instrument used can be securely authenticated. I.e. the word “contactless” should be removed in Article 8.
Rationale 54: EBA do not propose exemptions to SCA based on transaction-risk analysis performed by PSPs. In the view of PNC there should be an option for the PSP of the payer (i.e. the issuer in a card-based payment) to apply exemptions to SCA based on its own risk analysis. In the same way, the exact criteria for such risk analysis should be based on criteria that the payer’s PSP deem relevant in order to reduce fraud and risk to an acceptable level. I.e. the RTS need only to list a number of suggested criteria and not an exhaustive list. Such flexibility would allow for continued innovation in fraud prevention and analysis.
Article 8: Recurring card payments should enjoy the same exemption as recurring credit transfers, as pointed out in our comment to Rationale 17. I.e. paragraph 2 in Article 8 should be updated accordingly:
“(b) the payer initiates online a series of credit transfers or card-based payments with the same amount and the same payee.
The application of strong customer authentication shall not be exempted where the payer initiates the series of credit transfers or card-based payments for the first time or amends the series of credit transfers.”
Article 8.1 (b) and 8.2 (d): In the RTS, EBA has defined fixed amounts in euro for these exemptions. The relative value of a fixed euro amount may be very different in different member states. We therefore propose that the exemptions are updated to allow individual member states to adjust the amounts stated (up or down) based on the price level of the country.
Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
The view of PNC is that application of exemptions must be optional for ASPSPs. Preventing ASPSPs from implementing a higher security level would be against common sense and also would not allow the ASPSP to implement exemptions based on their own risk-assessment.The idea of allowing exemptions from the requirement on SCA, is to allow the possibility for ASPSPs to make payment initiation more convenient for the payers. The underlying assumption being that SCA always creates a hustle or at least a slower payment initiation. With the escalating innovation in customer authentication methods and technology, this is no longer the case, and will be so even less in the future. Many times these new strong authentication methods are more customer-friendly and convenient, than many weak authentication methods like e.g. static passwords. For payment solutions where there is today only a strong customer authentication method offered for all transactions, which is perceived as convenient by the users, there is no need to introduce another weak customer authentication method, that would at the same time be less customer-friendly.
Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?
Question to EBA:With reference to Article 19, will the issuance of cards with magnetic stripe still be allowed under the RTS?
Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?
PNC have the following comments to the EBA reasoning:Article 19.3: PNC would like to highlight that ISO 20022 is not yet widely used in the card payment sector. Therefore we ask EBA to confirm that the requirement concerning ISO20022 only applies between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds.
Article 17: PNC considers the requirement on bilateral identification between customer and acceptance devices in need of a change or at least an explanation. For a card transaction, the identification today is done of the card to the terminal, no reciprocal identification of the terminal is made to the card. If “secure bilateral identification” should be interpreted as mutual authentication, this would create incompatibility with EMV card payments.