Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Go back

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

YES, WE AGREE

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

YES, AS A GENERAL ASSUMPTION, PROVIDED THAT THE LOGICAL SEQUENCE OF ACTIONS REQUIRES THAT THE “DYNAMIC LINKING” MUST BE EXECUTED IN SPECIFIC STEPS OF THE AUTHENTICATION PROCESS
 provide evidence to support the views expressed/ rationale proposed;
The “Dynamic Linking” must be related to each single payment transaction and therefore must be executed AFTER the presentation to the customer of the significant details (Merchant Name & Id, Total amount) of the payment transaction and BEFORE the execution of the authorization request, which is equivalent to state that “the authentication procedure will allow the customer to identify the significant payment details before the execution of the payment authorization procedure”
 provide alternative regulatory options for consideration by the EBA.
For on-line transaction the authentication procedure shall allow the customer to identify the significant payment details before the execution of the payment authorization procedure and therefore the ‘dynamic linking’ procedure will be executed after the presentation by the payee to the payer of the significant payment details (at least Merchant Name & Id, Total amount) and before the payment authorization procedure is started.

Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?

SOCIAL ENGINEERING AND HUMAN FACTORS SHOULD BE CONSIDERED AS ADDITIONAL THREATS, ALONG WITH THE TECHNICAL FACTORS, TO REDUCE THE POSSIBILITY THAT A PAYMENT SERVICE USER SHOULD “VOLUNTARILY” DISCLOSE HIS/HER OWN PERSONAL CREDENTIALS TO UNAUTHORIZED AGENTS OR SYSTEMS.
 provide evidence to support the views expressed/ rationale proposed;
The strong authentication procedure will protect the payer (and the payee) from involuntary disclosure of their secret(s) (secure credentials), but such a condition might not be completely satisfied in the case a “social engineering” action should be so accurate to misguide the payer (and the payee) to lead him(her) to disclose his own secret (secure credentials) to a third party. Human factors related to the personnel employed into processing systems should also be considered in the implementation of the system(s) and their management.
 provide alternative regulatory options for consideration by the EBA.
Actions should be taken by all processors/entities involved in the strong authentication system(s) to protect their customers from social engineering actions and to protect their systems from disloyal personnel.

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

YES, WE AGREE

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

YES, WE ARE CONCERNED BY THE FACT THAT THE CUMULATIVE RISK (SYSTEMIC RISK) FOR THE PAYMENT SYSTEM MAY BE VERY HIGH AND THERE ARE EXISTING METHODS TO PERFORM STRONG AUTHENTICATION IN A CONTACTLESS ELECTRONIC PAYMENT TRANSACTION EXECUTED WITH A MOBILE DEVICE. MOREOVER, EMERGING TECHNOLOGIES SUCH AS RADIO BEACONS, BLUETOOTH LOW ENERGY ETC. WILL ALLOW NEW INTERACTION MODELS WHICH WILL BENEFIT FROM STRONG CUSTOMER AUTHENTICATION PAYMENTS SECURITY.
 provide evidence to support the views expressed/ rationale proposed;
Patent WO2015104387A1 is describing a “System and method for communicating credentials” which can be applied to any Use Case, including on-line and off-line contactless transactions.
 provide alternative regulatory options for consideration by the EBA.
i. the SCA will be executed transparently for the Payment Service User and acceptor for contactless electronic payment transactions which do not exceed the maximum amount of 25 EUR on the basis of SCA methods which will allow both on-line and off-line payment transaction processing.

ii. the SCA will be executed with the participation of the Payment Service User for contactless electronic payment transactions which are equal or exceed the maximum amount of 25 EUR on the basis of SCA methods which will allow both on-line and off-line payment transaction processing.

Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?

YES, WE AGREE, ALTHOUGH THERE MAY EXIST METHODS TO REDUCE THE SENSITIVITY FROM BREACHES IN USERS’ PERSONALIZED SECURITY CREDENTIALS BREACHES.

Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?

YES, WE AGREE

Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?

YES, WE AGREE, THE ONLY CONSTRAINT WILL BE THE LENGTH OF MESSAGES, WHICH MAY IMPACT ON SPEED OF TRANSACTIONS AND COMMUNICATION COSTS

Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?

GIVEN THE DIFFERENT LEVELS OF TRUST DUE TO THE DIFFERENT LEVEL OF PROTECTION FOR DIFFERENT TYPES OF DEVICES DUE TO THE DIFFERENT HARDWARE COMPUTING CAPABILITIES AND OPERATING SYSTEMS WE WOULD PROPOSE TO USE “SEGREGATED” WEB CERTIFICATES DEPENDING ON THE TYPE OF DEVICES USED.

 provide evidence to support the views expressed/ rationale proposed;
The type and complexity of the Certificate may differ, depending on the computing capabilities of the devices; Computers computing capabilities may be higher than the ones of tablets or mobile phones.
 provide alternative regulatory options for consideration by the EBA.
Web site certificates issued by qualified trust service providers may have different type and complexity depending on the type of devices they are going to reside on.

Please select which category best describes you and/or your organisation

[IT services provider "]"

Please select which category best describes the services provided by you/your organisation

[Other"]"

If you selected "Other", please provide details

Other Financial Intermediation Services - IT and Authentication Services

Name of organisation

DeBarra Innovations Limited