Response to discussion on RTS on strong customer authentication and secure communication under PSD2
Go back
• Current banking solutions limit the use of PSCs to the specific bank where the PSU holds an account and has enrolled in the service.
• The banks consistently re-iterate the message that authentication credentials will only be requested by them through specified channels. This is part of a consistent anti-phishing message.
• The current systems have been tested and improved to mitigate risks and typically use 2-factor authentication.
Possible Risk associated with RTS
• It appears that under the RTS, PSCs issued by Bank / ASPSP may be recorded by the AIS/PIS, i.e. referenced in paragraph 28 of the RTS.
• If I am interpreting the RTS correctly, the proposed model, will result in a proliferation of entities that the PSU shares its PSC with. In such an environment, it will not be possible to maintain the disciplines of not sharing PSCs with any entity outside of the issuer of the PSC. Therefore, the risks of phishing will increase significantly as it will become normal to share PSC with a broad range of entities.
• In addition, the entities with sight of the PSU will increase significantly. As such there will be a reliance on the security controls of a much greater number of entities to protect PSU credentials. The risk is increased further as some of these entities will young, small organisations that are not experienced in this field.
Proposed solution
• Given the Banks / ASPSPs currently have strong authentication mechanisms in place, an architecture that allows for the PSU to authenticate with the Bank ASPSP as part of the payment process without the need to share any PSC with the PIS provider would be a benefit.
• For example:
o The PSU logs into an airline website.
o The airline is a licensed PIS provider.
o The PSU selects to buy a ticket for €100.
o The airline opens a secure channel to the ASPSP upon which the funds will be drawn and requests the ASPSP authenticates the PSU, approves a payment of €100.
o This would be a direct communication between the PSU and the ASPSP.
o The ASPSP would approve the transaction with the PIS.
• In such a model the PSC is never accessible to the PIS provider. The PIS merely opens a secure channel to the ASPSP and requests authorisation.
• In addition to reducing the risk to the PSC this model would allow the use of current two factor authentication methods, thereby reducing the time to deliver solutions and the cost associated with new technology.
14. Can you indicate the segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur at present and in the foreseeable future?
Context• Current banking solutions limit the use of PSCs to the specific bank where the PSU holds an account and has enrolled in the service.
• The banks consistently re-iterate the message that authentication credentials will only be requested by them through specified channels. This is part of a consistent anti-phishing message.
• The current systems have been tested and improved to mitigate risks and typically use 2-factor authentication.
Possible Risk associated with RTS
• It appears that under the RTS, PSCs issued by Bank / ASPSP may be recorded by the AIS/PIS, i.e. referenced in paragraph 28 of the RTS.
• If I am interpreting the RTS correctly, the proposed model, will result in a proliferation of entities that the PSU shares its PSC with. In such an environment, it will not be possible to maintain the disciplines of not sharing PSCs with any entity outside of the issuer of the PSC. Therefore, the risks of phishing will increase significantly as it will become normal to share PSC with a broad range of entities.
• In addition, the entities with sight of the PSU will increase significantly. As such there will be a reliance on the security controls of a much greater number of entities to protect PSU credentials. The risk is increased further as some of these entities will young, small organisations that are not experienced in this field.
Proposed solution
• Given the Banks / ASPSPs currently have strong authentication mechanisms in place, an architecture that allows for the PSU to authenticate with the Bank ASPSP as part of the payment process without the need to share any PSC with the PIS provider would be a benefit.
• For example:
o The PSU logs into an airline website.
o The airline is a licensed PIS provider.
o The PSU selects to buy a ticket for €100.
o The airline opens a secure channel to the ASPSP upon which the funds will be drawn and requests the ASPSP authenticates the PSU, approves a payment of €100.
o This would be a direct communication between the PSU and the ASPSP.
o The ASPSP would approve the transaction with the PIS.
• In such a model the PSC is never accessible to the PIS provider. The PIS merely opens a secure channel to the ASPSP and requests authorisation.
• In addition to reducing the risk to the PSC this model would allow the use of current two factor authentication methods, thereby reducing the time to deliver solutions and the cost associated with new technology.