Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It accomplishes this by managing and evolving the EMV® Specifications and related testing processes. This includes, but is not limited to, card and terminal evaluation, security evaluation, and management of interoperability issues. Today there are EMV Specifications based on contact chip, contactless chip, common payment application (CPA), card personalisation, 3D-Secure v2.0 and tokenisation.
EMVCo would like to comment on some of the requirements put forward in the EBA RTS. Application of some of those requirements to electronic face to face payments raise concerns as follow, and will lead to unintended consequences:
• The ‘one-leg’ principle: EMV is a global specification which allows different markets to apply different requirements while ensuring global interoperability. For instance, outside of Europe, the markets (e.g. the US) have in general selected ‘Signature’ as the predominant Cardholder Verification Method.
EMVCo would welcome the confirmation that signature is an acceptable Consumer Verification Method under the new EBA RTS. This will ensure that European PSPs will not decline signature-based transaction or no CVM transactions when their cardholders travel outside of Europe.
• ‘No exemptions for low-value contact transactions’:
o Although ‘Chip and PIN’ is the norm in Europe, there are some environments which need the possibility to accept Chip transactions with no CVM). This is the case, for instance, for Toll-ways, Parking meters, Vending machines.
o Mandating a systematic SCA in these environments would jeopardise the acceptance in these environments
• ‘The SCA procedure shall include risk management mechanisms and techniques to prevent, detect and block fraudulent payment transactions before the PSP’s final authorisation. Such approach based on risk has been widely adopted and implemented by markets players to ensure a quick, easy and frictionless checkout process with highest level of confidence in the legitimacy of the transaction. EMVCo is currently developing the next generation of 3D Secure (3DS2.0) which will provide the industry with a flexible and adaptive revised approach to payments security for digital channels. 3D Secure 2.0 provides enhanced support for implementation within mobile based application and browser based payments using various risk management techniques. Such mechanisms take into account, but not be limited to:
i. parameterised rules, including black lists of compromised or stolen card data,
ii. signs of malware infection in the session and known fraud scenarios,
iii. an adequate transaction history of the payer to evaluate its typical spending behavioral patterns,
iv. information about the customer device used,
v. a detailed risk profile of the payer and/or the payer’s device,
o EMVCo would like to draw the EBA attention to the fact that requiring such techniques to be used in face-to-face payments would lead to all transactions being authorised on-line. This would prevent PSPs from supporting offline chip transactions even in such case as transit.
• Ensure that the payer is made aware at all times of the amount of the transaction and the payee
• Ensure that the authentication code is unique to the transaction amount and payee
• Avoid the so-called ‘Man-in-the-middle’ attacks where a fraudster would modify the amount or the payee account
EMVCo is fully aligned with the need and agree that the solution proposed by EBA (generating the authentication code using amount and payee account data) is one way to meet the requirement but is of the opinion that the following constraints or methodology should also be taken into account:
• For card transactions, it is common that the amount known at the time the authentication code is generated is not final. For instance, shipping costs can be added later on, hotel bills may differ from initially authorized amount. In such cases the amounts settled will differ from the amount dynamically linked in the SCA authentication. Provision and exemption for such cases need to be fostered for in the RTS.
• EMVCo will be releasing publicly in the coming months an industry specification, i.e. 3D Secure 2.0 that takes the cross ecosystem learnings from initial 3D Secure (Version 1.0) implementations to provide a flexible and adaptive revised approach to payments security for digital channels. 3D Secure 2.0 provides enhanced support for implementation within Mobile based application and browser based payments. This technology, as well as its predecessor 3DS 1.0, includes preventive measures against ‘man-in-the-middle’ attacks which prevent the transaction amount and the payee account to be fraudulently modified. The roll-out of this technology could be seen as an alternative to the strict need to include transaction amount and payee account in the authentication code generation algorithm.
Every Payment Authentication transaction generates a unique id and the Issuer/ACS has the ability to determine the appropriate authentication process and eventually generate the authentication value which is specific to each transaction.
The security design around the 3DS 2.0 flows prevents ‘man-in-the-middle’ attacks and creates a secure channel between the cardholder and the Issuer/ACS.
Rationale 26 and article 2.2 (b)
EMVCo is fully aligned with the view that the authentication procedure should ensure the confidentiality, authenticity and integrity of the information displayed to the payer through all phases of the authentication procedure including generation, transmission and use of the authentication code.
However, EMVCo is of the opinion that the RTS and particularly the rationale and related article 2 (b) should not go as far as to suggest specific implementation requirements.
EMVCo recognises that different solutions exist (e.g. Secure element for storage of sensitive data accessible only by authorized applications, application sandboxing, white-box cryptography, etc.) to fulfill those requirements. As one amongst many examples, different secure (encrypted including P2P authentication) channels can be established on the same device and by the same Execution Environment in order to segregate the information while in transit. Using a Secure Element or a whitebox secured application can be used to support the requirement of secure data treatment. Such various methods and solution foster for quick adaptation to new technologies and type of frauds.
Therefore, EMVCo is of the opinion that the RTS should only prescribe the high-level requirement and allow the market to implement and deploy various solutions, so as to best adapt to opportunities offered by new technologies.
For many years EMVCo has been developing for the payment industry technical specifications that facilitate the worldwide interoperability of secure payment transactions. These specifications have proven to be very effective as they have been adopted widely for card-present transactions. In 2015, 35.8% of all card-present transactions conducted globally and 84.3% in Europe have used the EMV technology.
More recently EMVCo has expanded its development plan to also bring the same level of interoperability and security for the remote-transaction environments.
EMVCo will be releasing publicly in the coming months an industry specification, i.e. 3D Secure 2.0 that takes the cross ecosystem learnings from initial 3D Secure (Version 1.0) implementations to provide a flexible and adaptive revised approach to payments security for digital channels. 3D Secure 2.0 provides enhanced support for implementation within mobile based application and browser based payments.
The specification is fully aligned with the PSD2 principles as it allows taking into account the inherent risk of any given transaction to decide what level of customer authentication is needed. This risk-based approach allows taking into account in the decision-making process transaction and device related data which are now made routinely available end-to-end (and that all PSPs can use in a similar way). An explicit Consumer Authentication is performed only when a transaction is assessed to be above a pre-determined risk level and can be achieved using a variety of mechanisms requiring direct Consumer interaction and actions: a validated Biometric, OTP (One Time Passcode), verification achieved using a successful mobile online banking log-in, etc.
Technically, a merchant can indicate a preference for not requiring an explicit consumer authentication but the decision resides with the PSP. This risk- based approach is already used by some issuers and retailers in Europe.
EMVCo believes that this flexible approach is needed to ensure that the payment is user-friendly in order to avoid apathy" and unnecessary abandonment of transactions on the customer side due to excessive use of the SCA, and finally to avoid an increase in transaction costs due to the implementation of SCA. EMVCo believes that a careful balance between friction at checkout, ease of integration into the checkout and cardholder experience will provide key drivers to manage the intent of fraud reduction whilst also increasing a safe shopping experience in more channels and devices than currently supported. Ensuring that both cardholders and merchants enthusiastically engage in suggested solutions will be a key driver to success and for the future of electronic transactions.
3DS 2.0 will be a public specification and will provides the full set of data elements required to support the payment transaction flows. Consequently, all PSPs will be able to use them in a similar way, which meets the requirement to have a ‘level-playing field’.
Consequently, a Risk-Based authentication approach should be recognized as a valid exemption (or as a part of the overall SCA process). It is also worth mentioning that merchants outside of Europe will not always support SCA and, therefore the European PSP should be allowed to accept the transaction based on its own risk based decision.
Given the rapid development of the industry and the constant increase of the data being available, it is desirable that the exemptions are neither too specific nor listed exhaustively to allow the constant improvement of risk management techniques and the introduction of innovative solutions.
On a similar note, the draft RTS should not limit this exemption to low-value contactless transactions but instead extend it also to low-value contact transactions as the risk-profile and payment transaction technology are identical.
In addition there are a number of environments where the exemption for payments is required such as parking, toll ways and vending machines.
EMVCo is concerned by the fact that, in today’s world, the 50€ transaction limit is actually decided at market level and controlled by the terminal, not the Issuer/payment device. Implementing strictly this requirement would require significant changes.
EMVCo is also concerned that, in practice, the requirement relative to the cumulative amount not exceeding 150 EUR will not be possible to implement without significant industry change and the massive replacement of most existing cards, particularly because:
• The use of cumulative counters varies depending on the implementation of the payment device payment application but, usually, cumulative counters are used to decide that the transaction needs to be authorized on-line but not to decide which type of CVM needs to be requested
• Of the existence of multiple currency in the EEA (and outside Europe, should the requirement apply outside of Europe), which makes impossible for a payment device to handle all the necessary currency conversions
• Of the existence of potentially multiple payment devices (e.g. a card and a mobile) for a consumer/account, particularly given the existence of off-line environments, unless it is clarified that the 150€ limit has to be controlled for each payment device.
Therefore, it is requested that the requirement related to cumulative amounts is removed from the RTS. Controlling the risk with the conjunction of individual transaction value and existing controls are felt sufficient.
We understand from the Public Hearing that the responsibility for SCA lies solely with the PSPs. However, in some models, the SCA is actually performed under control of an intermediary and the PSPs simply rely on the result of the authentication. Can we assume that the SCA processing by a third-party service provider is a valid option?
Finally, with regards to article 8. 2. (a), EMVCo believes that the concept of white list of trusted beneficiaries, currently available only for credit transfers, should also be extended to card payments."
Furthermore, prohibiting the SCA in some models would not be possible. For instance, a consumer transacting with a mobile having a biometric reader.
It is important to note that the EMV technology (including upcoming Next Generation specification) does not support the option for a payment device (e.g. card or mobile) to authenticate the Payee’s acceptance device (e.g. POS terminal). What is supported is the capability for the Payee’s acceptance device to authenticate the payment device as being genuine.
In EMV the card does not authenticate the terminal. Such functionality is not needed from a payments security perspective, as it is operationally impractical and can be easily circumvented by criminals (i.e. high pain low gain). Prevention of e-pickpocketing and PIN-probing via the contactless interface of a card or mobile phone can be achieved without attempting prevention in EMV.
Should the need to implement such requirement be confirmed, this would imply a major overhaul of the EMV technology that would cause a global replacement of existing terminals and cards.
The EMV success story in the face-to-face environment over the last 15 years has demonstrated that this massive cost would be superfluous.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
EMVCo shares the objective of the revised Payment Service Directive (PSD2) to improve security and prevent fraud in electronic face to face and remote payments transactions.EMVCo exists to facilitate worldwide interoperability and acceptance of secure payment transactions. It accomplishes this by managing and evolving the EMV® Specifications and related testing processes. This includes, but is not limited to, card and terminal evaluation, security evaluation, and management of interoperability issues. Today there are EMV Specifications based on contact chip, contactless chip, common payment application (CPA), card personalisation, 3D-Secure v2.0 and tokenisation.
EMVCo would like to comment on some of the requirements put forward in the EBA RTS. Application of some of those requirements to electronic face to face payments raise concerns as follow, and will lead to unintended consequences:
• The ‘one-leg’ principle: EMV is a global specification which allows different markets to apply different requirements while ensuring global interoperability. For instance, outside of Europe, the markets (e.g. the US) have in general selected ‘Signature’ as the predominant Cardholder Verification Method.
EMVCo would welcome the confirmation that signature is an acceptable Consumer Verification Method under the new EBA RTS. This will ensure that European PSPs will not decline signature-based transaction or no CVM transactions when their cardholders travel outside of Europe.
• ‘No exemptions for low-value contact transactions’:
o Although ‘Chip and PIN’ is the norm in Europe, there are some environments which need the possibility to accept Chip transactions with no CVM). This is the case, for instance, for Toll-ways, Parking meters, Vending machines.
o Mandating a systematic SCA in these environments would jeopardise the acceptance in these environments
• ‘The SCA procedure shall include risk management mechanisms and techniques to prevent, detect and block fraudulent payment transactions before the PSP’s final authorisation. Such approach based on risk has been widely adopted and implemented by markets players to ensure a quick, easy and frictionless checkout process with highest level of confidence in the legitimacy of the transaction. EMVCo is currently developing the next generation of 3D Secure (3DS2.0) which will provide the industry with a flexible and adaptive revised approach to payments security for digital channels. 3D Secure 2.0 provides enhanced support for implementation within mobile based application and browser based payments using various risk management techniques. Such mechanisms take into account, but not be limited to:
i. parameterised rules, including black lists of compromised or stolen card data,
ii. signs of malware infection in the session and known fraud scenarios,
iii. an adequate transaction history of the payer to evaluate its typical spending behavioral patterns,
iv. information about the customer device used,
v. a detailed risk profile of the payer and/or the payer’s device,
o EMVCo would like to draw the EBA attention to the fact that requiring such techniques to be used in face-to-face payments would lead to all transactions being authorised on-line. This would prevent PSPs from supporting offline chip transactions even in such case as transit.
Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
EMVCO attended the public hearing on the draft RTS held by the EBA on 23rd September. EMVCo welcomed the clarification that ‘dynamic linking’ requirement is meant to achieve three objectives:• Ensure that the payer is made aware at all times of the amount of the transaction and the payee
• Ensure that the authentication code is unique to the transaction amount and payee
• Avoid the so-called ‘Man-in-the-middle’ attacks where a fraudster would modify the amount or the payee account
EMVCo is fully aligned with the need and agree that the solution proposed by EBA (generating the authentication code using amount and payee account data) is one way to meet the requirement but is of the opinion that the following constraints or methodology should also be taken into account:
• For card transactions, it is common that the amount known at the time the authentication code is generated is not final. For instance, shipping costs can be added later on, hotel bills may differ from initially authorized amount. In such cases the amounts settled will differ from the amount dynamically linked in the SCA authentication. Provision and exemption for such cases need to be fostered for in the RTS.
• EMVCo will be releasing publicly in the coming months an industry specification, i.e. 3D Secure 2.0 that takes the cross ecosystem learnings from initial 3D Secure (Version 1.0) implementations to provide a flexible and adaptive revised approach to payments security for digital channels. 3D Secure 2.0 provides enhanced support for implementation within Mobile based application and browser based payments. This technology, as well as its predecessor 3DS 1.0, includes preventive measures against ‘man-in-the-middle’ attacks which prevent the transaction amount and the payee account to be fraudulently modified. The roll-out of this technology could be seen as an alternative to the strict need to include transaction amount and payee account in the authentication code generation algorithm.
Every Payment Authentication transaction generates a unique id and the Issuer/ACS has the ability to determine the appropriate authentication process and eventually generate the authentication value which is specific to each transaction.
The security design around the 3DS 2.0 flows prevents ‘man-in-the-middle’ attacks and creates a secure channel between the cardholder and the Issuer/ACS.
Rationale 26 and article 2.2 (b)
EMVCo is fully aligned with the view that the authentication procedure should ensure the confidentiality, authenticity and integrity of the information displayed to the payer through all phases of the authentication procedure including generation, transmission and use of the authentication code.
However, EMVCo is of the opinion that the RTS and particularly the rationale and related article 2 (b) should not go as far as to suggest specific implementation requirements.
EMVCo recognises that different solutions exist (e.g. Secure element for storage of sensitive data accessible only by authorized applications, application sandboxing, white-box cryptography, etc.) to fulfill those requirements. As one amongst many examples, different secure (encrypted including P2P authentication) channels can be established on the same device and by the same Execution Environment in order to segregate the information while in transit. Using a Secure Element or a whitebox secured application can be used to support the requirement of secure data treatment. Such various methods and solution foster for quick adaptation to new technologies and type of frauds.
Therefore, EMVCo is of the opinion that the RTS should only prescribe the high-level requirement and allow the market to implement and deploy various solutions, so as to best adapt to opportunities offered by new technologies.
Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
EMVCo is fully aligned with the principles established in PSD2 stating that the draft regulatory technical standards shall ‘ensure an appropriate level of security for payment service users and payment service providers, through the adoption of effective and risk-based requirements;’ allow for the development of user-friendly, accessible and innovative means of payment’. In particular, the exemptions should take into account ‘the level of risk involved in the service provided’.For many years EMVCo has been developing for the payment industry technical specifications that facilitate the worldwide interoperability of secure payment transactions. These specifications have proven to be very effective as they have been adopted widely for card-present transactions. In 2015, 35.8% of all card-present transactions conducted globally and 84.3% in Europe have used the EMV technology.
More recently EMVCo has expanded its development plan to also bring the same level of interoperability and security for the remote-transaction environments.
EMVCo will be releasing publicly in the coming months an industry specification, i.e. 3D Secure 2.0 that takes the cross ecosystem learnings from initial 3D Secure (Version 1.0) implementations to provide a flexible and adaptive revised approach to payments security for digital channels. 3D Secure 2.0 provides enhanced support for implementation within mobile based application and browser based payments.
The specification is fully aligned with the PSD2 principles as it allows taking into account the inherent risk of any given transaction to decide what level of customer authentication is needed. This risk-based approach allows taking into account in the decision-making process transaction and device related data which are now made routinely available end-to-end (and that all PSPs can use in a similar way). An explicit Consumer Authentication is performed only when a transaction is assessed to be above a pre-determined risk level and can be achieved using a variety of mechanisms requiring direct Consumer interaction and actions: a validated Biometric, OTP (One Time Passcode), verification achieved using a successful mobile online banking log-in, etc.
Technically, a merchant can indicate a preference for not requiring an explicit consumer authentication but the decision resides with the PSP. This risk- based approach is already used by some issuers and retailers in Europe.
EMVCo believes that this flexible approach is needed to ensure that the payment is user-friendly in order to avoid apathy" and unnecessary abandonment of transactions on the customer side due to excessive use of the SCA, and finally to avoid an increase in transaction costs due to the implementation of SCA. EMVCo believes that a careful balance between friction at checkout, ease of integration into the checkout and cardholder experience will provide key drivers to manage the intent of fraud reduction whilst also increasing a safe shopping experience in more channels and devices than currently supported. Ensuring that both cardholders and merchants enthusiastically engage in suggested solutions will be a key driver to success and for the future of electronic transactions.
3DS 2.0 will be a public specification and will provides the full set of data elements required to support the payment transaction flows. Consequently, all PSPs will be able to use them in a similar way, which meets the requirement to have a ‘level-playing field’.
Consequently, a Risk-Based authentication approach should be recognized as a valid exemption (or as a part of the overall SCA process). It is also worth mentioning that merchants outside of Europe will not always support SCA and, therefore the European PSP should be allowed to accept the transaction based on its own risk based decision.
Given the rapid development of the industry and the constant increase of the data being available, it is desirable that the exemptions are neither too specific nor listed exhaustively to allow the constant improvement of risk management techniques and the introduction of innovative solutions.
On a similar note, the draft RTS should not limit this exemption to low-value contactless transactions but instead extend it also to low-value contact transactions as the risk-profile and payment transaction technology are identical.
In addition there are a number of environments where the exemption for payments is required such as parking, toll ways and vending machines.
EMVCo is concerned by the fact that, in today’s world, the 50€ transaction limit is actually decided at market level and controlled by the terminal, not the Issuer/payment device. Implementing strictly this requirement would require significant changes.
EMVCo is also concerned that, in practice, the requirement relative to the cumulative amount not exceeding 150 EUR will not be possible to implement without significant industry change and the massive replacement of most existing cards, particularly because:
• The use of cumulative counters varies depending on the implementation of the payment device payment application but, usually, cumulative counters are used to decide that the transaction needs to be authorized on-line but not to decide which type of CVM needs to be requested
• Of the existence of multiple currency in the EEA (and outside Europe, should the requirement apply outside of Europe), which makes impossible for a payment device to handle all the necessary currency conversions
• Of the existence of potentially multiple payment devices (e.g. a card and a mobile) for a consumer/account, particularly given the existence of off-line environments, unless it is clarified that the 150€ limit has to be controlled for each payment device.
Therefore, it is requested that the requirement related to cumulative amounts is removed from the RTS. Controlling the risk with the conjunction of individual transaction value and existing controls are felt sufficient.
We understand from the Public Hearing that the responsibility for SCA lies solely with the PSPs. However, in some models, the SCA is actually performed under control of an intermediary and the PSPs simply rely on the result of the authentication. Can we assume that the SCA processing by a third-party service provider is a valid option?
Finally, with regards to article 8. 2. (a), EMVCo believes that the concept of white list of trusted beneficiaries, currently available only for credit transfers, should also be extended to card payments."
Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
EMVCo is of the view that the PSPs should always be entitled to require a SCA for risk-management reasons. For instance, a PSP would want to request a SCA the first time it sees a new card and new device combination to verify/validate the authenticity of the transaction.Furthermore, prohibiting the SCA in some models would not be possible. For instance, a consumer transacting with a mobile having a biometric reader.
Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?
Thank you to confirm that this section does not apply to face-to-face payments. Because Article 17-1 could imply that it is the case.It is important to note that the EMV technology (including upcoming Next Generation specification) does not support the option for a payment device (e.g. card or mobile) to authenticate the Payee’s acceptance device (e.g. POS terminal). What is supported is the capability for the Payee’s acceptance device to authenticate the payment device as being genuine.
In EMV the card does not authenticate the terminal. Such functionality is not needed from a payments security perspective, as it is operationally impractical and can be easily circumvented by criminals (i.e. high pain low gain). Prevention of e-pickpocketing and PIN-probing via the contactless interface of a card or mobile phone can be achieved without attempting prevention in EMV.
Should the need to implement such requirement be confirmed, this would imply a major overhaul of the EMV technology that would cause a global replacement of existing terminals and cards.
The EMV success story in the face-to-face environment over the last 15 years has demonstrated that this massive cost would be superfluous.