Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Go back

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

Yes we agree. In Germany there are two communication standards for the handling of bulk-transactions called EBICS and FileAct. We assume that the RTS also apllies to EBICS and to FileAct.

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

Yes, we agree.

Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?

No, we are not aware of other threats.

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

White list.
The white list can lead to disadvantages for small merchants as compared to big merchants like amazon. In the three corner model (e.g. Paypal) it is possibke to put all the merchants who are connected to the PSP on the white list. In such a case we have no level playing field as compared to the banks connected in a four corner model. A problem could also be a white list which is presented by the payers bank and which can be accepted by the payer. This can disadvantage to those merchants who are not on a that list. It would be helpful if such a list would also include bouderies for each paypee.

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

Instant Payments is a new payment instrument which will be launched in November 2017. Instant Payments will be available 24/7 and the amount is made available to the payee within a few seconds. The project is forced by the ERPB and the ECB. In contrast to payment instruments used today at the POS and in e-commerce, Instant Payments is a push procedure. When using Instant Payments the bank of the payee does not know if the payment was inittiated at the POS or via e-commerce - but there are different bounderies for the POS (50 EUR) and e-commerce (10 EUR). This does not make sense at all.

Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?

Yes, we agree but we see an advantage in clarifying definitions to relevant terms.

Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?

The technical specification of the communication interface is made available for free and publicly on the website. It is important that the documentation is available in english. Instant Payments is a new payment instrument which will be launched in November 2017. Instant Payments will be available 24/7 and the amount is made available to the payee within a few seconds. The project is forced by the ERPB and the ECB. In contrast to payment instruments used today at the POS and in e-commerce, Instant Payments is a push procedure. When using Instant Payment at the POS there is no acceptance device needed. The information that the amount is available is given by the payees bank to the payee.

Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?

The industry standard ISO 20022 should be used

Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?

A qualified certificate for website authentication is sufficient

Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.

The frequency of two times a day is sufficient. Starting the App of the AISP should be interpretated as PSU request.

Please select which category best describes you and/or your organisation

[IT services provider "]"

Please select which category best describes the services provided by you/your organisation

[Execution of payment transactions"]"

Name of organisation

van den Berg AG