Response to discussion on RTS on strong customer authentication and secure communication under PSD2
Go back
However if the action carried out is simply to access its payment account on line, it should not trigger a risk of payment and therefore strong customer authentication (SCA) should not be required. Boursorama considers it will more acceptable to hide the sensitive customer data rather than using the SCA systematically to access the payment account on line.
Data linked to physical device can also be considered as answering to the definition of possession obligation imposed by the strong authentification if the following conditions are fulfilled:
The enrolment procedure is secured;
The data cannot be copied on another device without the agreement of the user (owner of the data).
When data/device is considered as possession, it can be transferred to any other device eg : typing on a computer or support, a login (knowledge) + an OTP ( one time password) via phone (possession), allowing the computer or the media to obtain the status of possession.
The customer experience must stay as simple as possible.
If this notion includes behaviour characteristics (behaviour biometry such as keystroke, mouse usage…), it could be accepted but only in addition to the ID / password and SMS OTP, but not as an inherent element itself.
As of today, the sole scoring related to connection or purchase habits is not sufficient in the context of “inherence” elements to process a Strong Customer authentication (SCA).
Boursorama believes that as of today, 'Knowledge' (such as password) is easier to use than the elements of inherence" as pure biometrics. To date, it is not desirable to promote behavior-based biometrics in strong authentication.
In France, the personal data authority council (CNIL) requires for the use of behavior based characteristic tools that (i) a a long period of testing should be conducted before use and (ii) a formal authorization of the authority must be granted before launching the use."
The enrolment procedure of the SMS is important as the SMS proves that the client uses a device registered by the bank.
To simplify, Boursorama estimates that ‘Dynamic linking’ could be considered as information given to the client, as a referenceof the operations.
For users, we consider the 3DS process existing in payment cards provides this dynamic linking: today a dynamic code issued by the ASPSP (Account Servicing Payment Service Providers) is sent to the PSU (Payment Service Users), who enters it to finalize his/her payment knowing the amount and beneficiary, and hence validates the true amount and beneficiary.
A similar process is currently used to finalize SCT payments: if the payment is considered sensitive, a dynamic code issued by the ASPSP is sent to the PSU, who enters it to finalize his/her payment, and then validates the true amount and beneficiary.
In both cases, this could be considered as the relevant information of the payer on the specific transaction.
However, &42 (d) of the exemption, the banks have to remain free to close for a short period the exemptions to the strong authentication if a fraud is detected: unusual operation of a client, high amount of the operation…).
Boursorama considers that the definition of the notion of ‘sensitive data’ is very wide and examples or type of data should be defined. Boursorama considers it will more acceptable to hide the sensitive customer data rather than using the SCA systematically to access the payment account on line.
When a strong authentication had been made for one operation, it could be appropriate not to ask for it again during a certain time (for example, during session time) even if in theory strong authentications are necessary to make new payment operations.
Also, when the transfer of possession is made on a device via strong authentication, it may be reapply only one authentication element for a time limit of 1 year.
The EBA could then take into account a new factor which would be the period of validity of the strong authentification.
The existing interbank protocols (SWIFT, EBICS…) have to be considered as exemptions to the PSD2.
Risks are higher for instant credit transfer than for differed credit transfer.
Boursorama recommends to also considering corrupted devices (for instance a device under jailbreak or root access) as a complement to the risks set forth in paragraph 45.
The suggested clarification regarding the protection of users personalised security credentials needs is appropriate. Indeed, it is very important that safety measure be proportionate to the risks.
Boursorama is not favorable to the standardization of communication channels and hosting sites through which personalised credentials transit. Only server access must be secured but not the servers themselves.
Boursorama believes it is not useful to create a new independent authority for the local supervisory, our existing banking authorities play this role (ACPR in France). There should also be annual evaluation to ensure a good level of confidence in the overall system. The security requirements currently existing on ASPSPs have to apply equally to TPPs (risk assessment, incident monitoring, safeguard processes, etc. – cf. EBA guidelines on the security of internet payments, etc.).
In terms of security, the enrolment process is the key.
Only server access must be secured but not the servers themselves.
However, Boursorama is not favorable to the standardization of communication channels. Boursorama is unfavorable to a, b, c, d but still in favor of safety controls by banking local regulator.
It may be appropriate to use some of the definitions offered by this e-IDAS for strong authentication.
This is not because a service is not qualified as “trust services” could be very reliable and trustworthye. Recurrent security checks seem more appropriate. Furthermore, there should be a clarification of the definitions of “strong authentication” 'and' “high authentication which seem to address the same purpose."
1. With respect to Article 97(1) (c), are there any additional examples of transactions or actions implying a risk of payment fraud or other abuses that would need to be considered for the RTS? If so, please give details and explain the risks involved.
Boursorama supports this open formulation of article 91 (1)(c). There seems to be no need to add examples of transactions or actions implying a risk of payment fraud or other abuses to be considered in the forthcoming RTS.However if the action carried out is simply to access its payment account on line, it should not trigger a risk of payment and therefore strong customer authentication (SCA) should not be required. Boursorama considers it will more acceptable to hide the sensitive customer data rather than using the SCA systematically to access the payment account on line.
2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?
Many devices can be considered as possession elements: mobile phone, tablets, computers, electronic watch etc…Data linked to physical device can also be considered as answering to the definition of possession obligation imposed by the strong authentification if the following conditions are fulfilled:
The enrolment procedure is secured;
The data cannot be copied on another device without the agreement of the user (owner of the data).
When data/device is considered as possession, it can be transferred to any other device eg : typing on a computer or support, a login (knowledge) + an OTP ( one time password) via phone (possession), allowing the computer or the media to obtain the status of possession.
The customer experience must stay as simple as possible.
3. Do you consider that in the context of “inherence” elements, behaviour-based characteristics are appropriate to be used in the context of strong customer authentication? If so, can you specify under which conditions?
The « behaviour-based characteristics » expression should be defined by the EBA.If this notion includes behaviour characteristics (behaviour biometry such as keystroke, mouse usage…), it could be accepted but only in addition to the ID / password and SMS OTP, but not as an inherent element itself.
As of today, the sole scoring related to connection or purchase habits is not sufficient in the context of “inherence” elements to process a Strong Customer authentication (SCA).
Boursorama believes that as of today, 'Knowledge' (such as password) is easier to use than the elements of inherence" as pure biometrics. To date, it is not desirable to promote behavior-based biometrics in strong authentication.
In France, the personal data authority council (CNIL) requires for the use of behavior based characteristic tools that (i) a a long period of testing should be conducted before use and (ii) a formal authorization of the authority must be granted before launching the use."
4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?
There is no specific challenge with respect to the independence of the knowledge element and the mobile device. The SMS is not kept on the device (mobile phone), and the compromising of this element (the SMS) does not imply the compromising of the other element (the mobile phone). The SMS need therefore to be considered as being able to participle to a strong authentification.The enrolment procedure of the SMS is important as the SMS proves that the client uses a device registered by the bank.
5. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to dynamic linking?
The dynamic linking leads to link each SMS OTP to the linked operation (connection from such a terminal connection to make such a transfer, ..) and trace each OTP. This would imply upgrades and developments of the existing systems to create (i) a unity between the OTP and the operation and (ii) traceability for these links OTP / operations in time.To simplify, Boursorama estimates that ‘Dynamic linking’ could be considered as information given to the client, as a referenceof the operations.
For users, we consider the 3DS process existing in payment cards provides this dynamic linking: today a dynamic code issued by the ASPSP (Account Servicing Payment Service Providers) is sent to the PSU (Payment Service Users), who enters it to finalize his/her payment knowing the amount and beneficiary, and hence validates the true amount and beneficiary.
A similar process is currently used to finalize SCT payments: if the payment is considered sensitive, a dynamic code issued by the ASPSP is sent to the PSU, who enters it to finalize his/her payment, and then validates the true amount and beneficiary.
In both cases, this could be considered as the relevant information of the payer on the specific transaction.
6. In your view, which solutions for mobile devices fulfil both the objective of independence and dynamic linking already today?
Cf question n°47. Do you consider the clarifications suggested regarding the potential exemptions to strong customer authentication, to be useful?
The EBA clarifications are useful and Boursorama agrees with them, as these exemptions to the strong authentication must be applied automatically to all Banks.However, &42 (d) of the exemption, the banks have to remain free to close for a short period the exemptions to the strong authentication if a fraud is detected: unusual operation of a client, high amount of the operation…).
Boursorama considers that the definition of the notion of ‘sensitive data’ is very wide and examples or type of data should be defined. Boursorama considers it will more acceptable to hide the sensitive customer data rather than using the SCA systematically to access the payment account on line.
8. Are there any other factors the EBA should consider when deciding on the exemptions applicable to the forthcoming regulatory technical standards?
Boursorama believes that the time factor (validity period of the SCA) must be taken into consideration for determining new exemptions.When a strong authentication had been made for one operation, it could be appropriate not to ask for it again during a certain time (for example, during session time) even if in theory strong authentications are necessary to make new payment operations.
Also, when the transfer of possession is made on a device via strong authentication, it may be reapply only one authentication element for a time limit of 1 year.
The EBA could then take into account a new factor which would be the period of validity of the strong authentification.
The existing interbank protocols (SWIFT, EBICS…) have to be considered as exemptions to the PSD2.
9. Are there any other criteria or circumstances which the EBA should consider with respect to transaction risks analysis as a complement or alternative to the criteria identified in paragraph 45?
The EBA could take into account the number of transactions, the number of connections, the maximum amount of payment etc..…Risks are higher for instant credit transfer than for differed credit transfer.
Boursorama recommends to also considering corrupted devices (for instance a device under jailbreak or root access) as a complement to the risks set forth in paragraph 45.
10. Do you consider the clarification suggested regarding the protection of users personalised security credentials to be useful?
Safety of the personalised credentials is central for the payments service providers.The suggested clarification regarding the protection of users personalised security credentials needs is appropriate. Indeed, it is very important that safety measure be proportionate to the risks.
Boursorama is not favorable to the standardization of communication channels and hosting sites through which personalised credentials transit. Only server access must be secured but not the servers themselves.
Boursorama believes it is not useful to create a new independent authority for the local supervisory, our existing banking authorities play this role (ACPR in France). There should also be annual evaluation to ensure a good level of confidence in the overall system. The security requirements currently existing on ASPSPs have to apply equally to TPPs (risk assessment, incident monitoring, safeguard processes, etc. – cf. EBA guidelines on the security of internet payments, etc.).
11. What other risks with regard to the protection of users’ personalised security credentials do you identify?
Major risks are detailed by the EBA.12. Have you identified innovative solutions for the enrolment process that the EBA should consider which guarantee the confidentiality, integrity and secure transmission (e.g. physical or electronic delivery) of the users’ personalised security credentials?
Open standards currently available on the market, such as https or a value added messaging system could be used.In terms of security, the enrolment process is the key.
13. Can you identify alternatives to certification or evaluation by third parties of technical components or devices hosting payment solutions, to ensure that communication channels and technical components hosting, providing access to or transmitting the personalised security credential are sufficiently resistant to tampering and unauthorized access?
Boursorama does not identify alternatives to evaluation by TPP of component payments solutions or mobile devices.Only server access must be secured but not the servers themselves.
14. Can you indicate the segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur at present and in the foreseeable future?
The segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur focuses on the entrance of the TPP in the payment chain.15. For each of the topics identified under paragraph 63 above (a to f), do you consider the clarifications provided to be comprehensive and suitable? If not, why not?
The clarifications of the EBA are comprehensive.However, Boursorama is not favorable to the standardization of communication channels. Boursorama is unfavorable to a, b, c, d but still in favor of safety controls by banking local regulator.
16. For each agreed clarification suggested above on which you agree, what should they contain in your view in order to achieve an appropriate balance between harmonisation, innovation while preventing too divergent practical implementations by ASPSPs of the future requirements?
Governance is expected by ASPSPs to ensure a space for the actors to exchange and implement the PSD2 in a harmonized way.17. In your opinion, is there any standards (existing or in development) outlining aspects that could be common and open, which would be especially suitable for the purpose of ensuring secure communications as well as for the appropriate identification of PSPs taking into consideration the privacy dimension?
Open standards currently available on the market, such as https or a value added messaging system could be used.19. Do you agree that the e-IDAS regulation could be considered as a possible solution for facilitating the strong customer authentication, protecting the confidentiality and the integrity of the payment service users’ personalised security credentials as well as for common and secure open standards of communication for the purpose of identification, DP on future RTS on strong customer and secure communication under PSD2 31 authentication, notification, and information? If yes, please explain how. If no, please explain why.
As e-IDAS regulation specifies principles and requirements regarding identity and authentication levels, it could represents an opportunity for European customers to benefit from harmonized principles of identification and authentication all over Europe:It may be appropriate to use some of the definitions offered by this e-IDAS for strong authentication.
20. Do you think in particular that the use of “qualified trust services” under e-IDAS regulation could address the risks related to the confidentiality, integrity and availability of PSCs between AIS, PIS providers and ASPSPs? If yes, please identify which services and explain how. If no, please explain why.
Boursorama does not consider it necessary to standardize or label payment services as qualified trust services."This is not because a service is not qualified as “trust services” could be very reliable and trustworthye. Recurrent security checks seem more appropriate. Furthermore, there should be a clarification of the definitions of “strong authentication” 'and' “high authentication which seem to address the same purpose."