Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
It is essential to link the requirements to the eIDAS Regulation so that eIDAS Level of Assurance 3 (substantial) always fulfils the criteria for SCA according to the articles 97 and 98 of PSD2.
Additionally, payments for voice-based services that exceed the limits meant in article 3 of PSD2, point (l), are in the scope of the requirement of SCA according to article 97 of PSD2. It is very challenging to incorporate SCA to voice-based services as it would seriously compromise user experience.
It should be kept in mind that substantial share of electronic payments are carried out via mobile phones. According to the EU and national telecoms regulations and practice users of mobile phones have a duty of care to protect their devices by PIN numbers in order to avoid unauthorised usage. Due to this practice, a lost mobile phone is not as likely to be used for unauthorised payments as a lost credit card allowing contactless payments.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
It is important to clarify that a unique identification ticket used in PKI solutions, such as mobile identification based on security module on a SIM-card, fulfils the requirement of a code that is accepted only once.It is essential to link the requirements to the eIDAS Regulation so that eIDAS Level of Assurance 3 (substantial) always fulfils the criteria for SCA according to the articles 97 and 98 of PSD2.
Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
We support EBA reasoning in article 2.2. of the proposed delegated regulation.Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
NAQuestion 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
There is an evident need for exemptions from SCA in order to guarantee that there is a possibility to use one-click payments for low-value transactions. It is of greatest importance that the threshold values are applied in coherent manner. On the proposal, there are different limits for contactless payments and electronic payments. The limits proposed in article 8.2 point (d) should be the same as in para 1 point b, i.e. 50 euros and 150 euros or, alternatively, the same as used in the PSD2 article 42, including the option to double the amounts for national payments. This would bring coherence to regulatory environment. It can be confusing also to users of payment services to have a great number of differing threshold values.Additionally, payments for voice-based services that exceed the limits meant in article 3 of PSD2, point (l), are in the scope of the requirement of SCA according to article 97 of PSD2. It is very challenging to incorporate SCA to voice-based services as it would seriously compromise user experience.
It should be kept in mind that substantial share of electronic payments are carried out via mobile phones. According to the EU and national telecoms regulations and practice users of mobile phones have a duty of care to protect their devices by PIN numbers in order to avoid unauthorised usage. Due to this practice, a lost mobile phone is not as likely to be used for unauthorised payments as a lost credit card allowing contactless payments.