Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
In addition, a wider number of customer authentication techniques, than provided in Chapter 1 of the RTS should be encouraged, as with the fast pace of technological development, relying on a limited number of authentication techniques set in the regulation will not be robust. ACCIS notes that there is an assumption that the authentication mechanisms used by payment service providers will typically be the minimum to comply; this unfortunately means that, should a compromise of one or more credentials happen, there is no simple way to re-authenticate the payment service user using other means. ACCIS suggests that the RTS be enhanced to strongly recommend that more than the minimum number of authentication methods be issued or enrolled so that it is possible to more strongly authenticate a customer if compromise is suspected. This will also mean that it will be possible for payment service users to be authenticated when one or more methods is unavailable, for example using a mobile app technique in the absence of a data connection or a video method in low light conditions."
1) avoid excessive costs for payment stakeholders, and
2) be agnostic as to what technology is used to implement the AISP/PISP access.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
ACCIS supports the EBA's reasoning on the need to strengthen customer authentication and sees the proposed Regulatory Technical Standards (RTS) as an important step forward to enhance the security of payment services. However, certain categories in Chapter 1 of the RTS should be further clarified and better defined. In particular, clearer definitions of what constitutes biometric sensor and template protection systems", "sensitive payment data" and "spending behavioural patterns" should be provided. ACCIS strongly believes that given the sensitivity of such data it is important to ensure that such data are used to the minimum extent necessary for the provision of payment services and are not used for any other purposes than payment services.In addition, a wider number of customer authentication techniques, than provided in Chapter 1 of the RTS should be encouraged, as with the fast pace of technological development, relying on a limited number of authentication techniques set in the regulation will not be robust. ACCIS notes that there is an assumption that the authentication mechanisms used by payment service providers will typically be the minimum to comply; this unfortunately means that, should a compromise of one or more credentials happen, there is no simple way to re-authenticate the payment service user using other means. ACCIS suggests that the RTS be enhanced to strongly recommend that more than the minimum number of authentication methods be issued or enrolled so that it is possible to more strongly authenticate a customer if compromise is suspected. This will also mean that it will be possible for payment service users to be authenticated when one or more methods is unavailable, for example using a mobile app technique in the absence of a data connection or a video method in low light conditions."
Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
As mentioned in our response to Q1 of the consultation, ACCIS strongly believes that using a wider number of authentication techniques, than provided in Chapter 1 of the RTS should be encouraged. With a limited number of authentication techniques there is a risk that with some of a payment service users credentials being compromised it will be difficult for payment service providers to re-authenticate the payment service user.Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?
ACCIS is supportive of using standards such as the ISO20022 data dictionary for specifying fields transferred via APIs. This standardisation is essential to ensure that payments data is treated in the same manner from end to end, supporting the PSD and PSD2 goals of data integrity and efficiency. ACCIS notes that it is forecast that line of business applications will start to standardise on ISO20022 for their storage of data, in support of the use of such data for payment initiation in XML messages. By using ISO20022, which is already used for over 35 billion SEPA payments per annum and for which cards and immediate payments messages are being developed, this ensures the data is held at rest in the same format as when it is communicated between payment service providers and to third party providers. Nevertheless, ACCIS recommends that the data definitions in ISO200022 are those used in defining the APIs for PISPs and AISPs. This will:1) avoid excessive costs for payment stakeholders, and
2) be agnostic as to what technology is used to implement the AISP/PISP access.