BOURSORAMA

Boursorama supports this open formulation of article 91 (1)(c). There seems to be no need to add examples of transactions or actions implying a risk of payment fraud or other abuses to be considered in the forthcoming RTS.

However if the action carried out is simply to access its payment account on line, it should not trigger a risk of payment and therefore strong customer authentication (SCA) should not be required. Boursorama considers it will more acceptable to hide the sensitive customer data rather than using the SCA systematically to access the payment account on line.
Many devices can be considered as possession elements: mobile phone, tablets, computers, electronic watch etc…

Data linked to physical device can also be considered as answering to the definition of possession obligation imposed by the strong authentification if the following conditions are fulfilled:
The enrolment procedure is secured;
The data cannot be copied on another device without the agreement of the user (owner of the data).

When data/device is considered as possession, it can be transferred to any other device eg : typing on a computer or support, a login (knowledge) + an OTP ( one time password) via phone (possession), allowing the computer or the media to obtain the status of possession.

The customer experience must stay as simple as possible.
The « behaviour-based characteristics » expression should be defined by the EBA.

If this notion includes behaviour characteristics (behaviour biometry such as keystroke, mouse usage…), it could be accepted but only in addition to the ID / password and SMS OTP, but not as an inherent element itself.

As of today, the sole scoring related to connection or purchase habits is not sufficient in the context of “inherence” elements to process a Strong Customer authentication (SCA).

Boursorama believes that as of today, 'Knowledge' (such as password) is easier to use than the elements of inherence" as pure biometrics. To date, it is not desirable to promote behavior-based biometrics in strong authentication.

In France, the personal data authority council (CNIL) requires for the use of behavior based characteristic tools that (i) a a long period of testing should be conducted before use and (ii) a formal authorization of the authority must be granted before launching the use."
There is no specific challenge with respect to the independence of the knowledge element and the mobile device. The SMS is not kept on the device (mobile phone), and the compromising of this element (the SMS) does not imply the compromising of the other element (the mobile phone). The SMS need therefore to be considered as being able to participle to a strong authentification.

The enrolment procedure of the SMS is important as the SMS proves that the client uses a device registered by the bank.
The dynamic linking leads to link each SMS OTP to the linked operation (connection from such a terminal connection to make such a transfer, ..) and trace each OTP. This would imply upgrades and developments of the existing systems to create (i) a unity between the OTP and the operation and (ii) traceability for these links OTP / operations in time.

To simplify, Boursorama estimates that ‘Dynamic linking’ could be considered as information given to the client, as a referenceof the operations.

For users, we consider the 3DS process existing in payment cards provides this dynamic linking: today a dynamic code issued by the ASPSP (Account Servicing Payment Service Providers) is sent to the PSU (Payment Service Users), who enters it to finalize his/her payment knowing the amount and beneficiary, and hence validates the true amount and beneficiary.

A similar process is currently used to finalize SCT payments: if the payment is considered sensitive, a dynamic code issued by the ASPSP is sent to the PSU, who enters it to finalize his/her payment, and then validates the true amount and beneficiary.

In both cases, this could be considered as the relevant information of the payer on the specific transaction.
Cf question n°4
The EBA clarifications are useful and Boursorama agrees with them, as these exemptions to the strong authentication must be applied automatically to all Banks.

However, &42 (d) of the exemption, the banks have to remain free to close for a short period the exemptions to the strong authentication if a fraud is detected: unusual operation of a client, high amount of the operation…).

Boursorama considers that the definition of the notion of ‘sensitive data’ is very wide and examples or type of data should be defined. Boursorama considers it will more acceptable to hide the sensitive customer data rather than using the SCA systematically to access the payment account on line.
Boursorama believes that the time factor (validity period of the SCA) must be taken into consideration for determining new exemptions.


When a strong authentication had been made for one operation, it could be appropriate not to ask for it again during a certain time (for example, during session time) even if in theory strong authentications are necessary to make new payment operations.

Also, when the transfer of possession is made on a device via strong authentication, it may be reapply only one authentication element for a time limit of 1 year.


The EBA could then take into account a new factor which would be the period of validity of the strong authentification.

The existing interbank protocols (SWIFT, EBICS…) have to be considered as exemptions to the PSD2.
The EBA could take into account the number of transactions, the number of connections, the maximum amount of payment etc..…

Risks are higher for instant credit transfer than for differed credit transfer.

Boursorama recommends to also considering corrupted devices (for instance a device under jailbreak or root access) as a complement to the risks set forth in paragraph 45.
Safety of the personalised credentials is central for the payments service providers.

The suggested clarification regarding the protection of users personalised security credentials needs is appropriate. Indeed, it is very important that safety measure be proportionate to the risks.

Boursorama is not favorable to the standardization of communication channels and hosting sites through which personalised credentials transit. Only server access must be secured but not the servers themselves.

Boursorama believes it is not useful to create a new independent authority for the local supervisory, our existing banking authorities play this role (ACPR in France). There should also be annual evaluation to ensure a good level of confidence in the overall system. The security requirements currently existing on ASPSPs have to apply equally to TPPs (risk assessment, incident monitoring, safeguard processes, etc. – cf. EBA guidelines on the security of internet payments, etc.).
Major risks are detailed by the EBA.
Open standards currently available on the market, such as https or a value added messaging system could be used.

In terms of security, the enrolment process is the key.
Boursorama does not identify alternatives to evaluation by TPP of component payments solutions or mobile devices.

Only server access must be secured but not the servers themselves.
The segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur focuses on the entrance of the TPP in the payment chain.
The clarifications of the EBA are comprehensive.

However, Boursorama is not favorable to the standardization of communication channels. Boursorama is unfavorable to a, b, c, d but still in favor of safety controls by banking local regulator.
Governance is expected by ASPSPs to ensure a space for the actors to exchange and implement the PSD2 in a harmonized way.
Open standards currently available on the market, such as https or a value added messaging system could be used.
As e-IDAS regulation specifies principles and requirements regarding identity and authentication levels, it could represents an opportunity for European customers to benefit from harmonized principles of identification and authentication all over Europe:

It may be appropriate to use some of the definitions offered by this e-IDAS for strong authentication.
Boursorama does not consider it necessary to standardize or label payment services as qualified trust services."

This is not because a service is not qualified as “trust services” could be very reliable and trustworthye. Recurrent security checks seem more appropriate. Furthermore, there should be a clarification of the definitions of “strong authentication” 'and' “high authentication which seem to address the same purpose."
Yes
[Credit institution"]"
[Other "]"
all categories
stephanie.thiercelin@boursorama.fr
Stéphanie Thiercelin
+33146094843
Yes