Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
EuroCommerce believes that a clearer risk based approach is needed which could be applied across all payment channels including Telesales and Direct Debits, however we agree that authentication requirements should be developed in the form of high level principles that can adapt to emerging threats and the development of innovative security solutions.
In our view, TPP’s must be allowed to continue using direct access via the customer facing online interfaces of the banks in order to initiate payments on behalf of consumers. This direct access technology is well established and is already transforming the market, allowing innovation and promoting competition.
Payment security would be ensured as TPP's choosing to issue their own credentials would have to comply with the RTS SCA-requirements themselves.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
While EuroCommerce agrees with the principles and understands the EBA’s reasoning, EuroCommerce does not support a blanket approach as proposed by the EBA for Strong Customer Authentication (SCA) believing that it risks reducing competition in the market, could materially impact customer convenience and restrict the development of the Digital Single Market.EuroCommerce believes that a clearer risk based approach is needed which could be applied across all payment channels including Telesales and Direct Debits, however we agree that authentication requirements should be developed in the form of high level principles that can adapt to emerging threats and the development of innovative security solutions.
Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
Yes, EuroCommerce agrees, however questions such as what would happen in situations where a total value has been authorised (single amount) but the order is then split into different amounts as part of the fulfilment ‘charge with despatch’ process. Authentication and authorisation need to be viewed as two separate actions.Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
No commentQuestion 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
EuroCommerce would rather support a targeted risk based approach, which is less likely to stifle growth and through innovation and experience reduce the levels of fraud. The diversity on the market is too great for a single list of elements and a centralized minimum threshold approach to risk. EuroCommerce would prefer an approach whereby industry best practices are acknowledged.Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?
EuroCommerce is concerned that any rigid framework may not achieve the desired results, for example risks associated with low-value, high risk transactions may not be sufficiently addressed by the EBA approach.Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?
EuroCommerce broadly supports the EBA’s reasoning, however some questions still remain, for example article 9 (c) makes reference to ‘Secret cryptographic material related to the encryption of the credentials is stored in secure and tamper-resistant devices and environments’, how should ‘secure’ and ‘tamper-resistant’ be defined? Could software solutions running in a rich Operating Standard be accepted provided they pass the necessary certification tests?Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?
EuroCommerce fully supports the provisions of PSD II to allow non-bank third-party payment providers (TPPs), including payment initiation services (PIS), to directly access consumers' account information to initiate a payment. This has potential to transform the market, allowing innovation, promoting competition and creating conditions for the best use of new technologies. The final regulatory standards must be amended so as to guarantee the right of direct access of TPP's to consumers' accounts to initiate payments without being made dependent on the very banks with whom they often compete.In our view, TPP’s must be allowed to continue using direct access via the customer facing online interfaces of the banks in order to initiate payments on behalf of consumers. This direct access technology is well established and is already transforming the market, allowing innovation and promoting competition.
Payment security would be ensured as TPP's choosing to issue their own credentials would have to comply with the RTS SCA-requirements themselves.