Response to discussion on RTS on strong customer authentication and secure communication under PSD2
Go back
(i) As an introduction it is felt important to underline the fact that the revised Payment Services Directive (PSD2) deals with payment instruments in general, and that there are no articles in the Directive which deal specifically with a card or card transactions.
Nevertheless the Regulatory Technical Standards (RTS), which are perceived as being the decree for the “technical” implemention of the PSD2 as far as authentication is concerned, must distinguish between the different payment instruments covered by the Directive, and a minima, establish derogations from strong authentication for each one, according to identified levels of risk.
In practice it is extremely difficult, if not impossible, to establish generic rules which are applicable to all payment instruments. What is more, the importance that the use of cards for payments plays in Europe, both in terms of the number of transactions and their prominence in the European economy, would justify an approach whereby cards must be the subject of specific requirements, or even to have a minima explicit derogations applicable only for payments with a card.
(ii) A key consideration in developing the RTS where card payments are concerned is the distinction which must be made between the security requirements applicable to face-to-face payments and those which are needed for remote (card not present) payments.
- One undeniable reason for this is that for more than 20 years the European card industry has made considerable investments in the field of face-to-face payments through the widespread deployment of the EMV chip and pin standard, with the result that today’s face-to-face card payments in Europe already conform to both requirements for strong authentication and for the signature of the transaction data.
- When preparing the future RTS, care must be taken that this major accomplishment is neither compromised nor put in question, either through inadvertence or by insufficient analysis.
(iii) As far as payment with cards is concerned, the principal objective in implementing strong authentication is in the fight against fraud on the Internet.
- It should be noted that since the Internet is global, any approach to this question which would be restricted to or focuses only on Europe would have a limited impact, unless the Regulator insists, as far as cards are concerned, that authentication solutions should be “issuer-only” i.e. that they would only depend on the Payment Service Provider (PSP) and not on the “acquisition domain”.
(iv) The work carried out by the EBA concerning authentication is not only very important, but will, without any doubt, have a critical and permanent impact on the field of security and caution is recommended at this stage, before defining new standards in the area of security since :
- many means of payment address and the associated solutions and security architectures are going through a phase of development and innovation which at this point in time is very complex to analyse.
It is felt to be preferable to allow such solutions to become stable and the market to mature before defining new security standards.
- the PSD2 does not define cards as a means of payment, and so the meaning and interpretation of the questions posed by the EBA is very different from the standpoint of card payments or mobile payments than it would be for direct debits or credit transfers.
One example of this conundrum is “how should one define personalised security credentials and what do they represent ” when applied to payment cards ?
Such difficulties in interpretation have led to a great deal of incertitude in preparing replies to some of the questions posed by the EBA, and such incertitude illustrated by the above example is one of the key issues which needs to be addressed and clarified by the EBA when compiling the Regulatory Technical Standards.
REPLY TO QUESTION 1
The answer to this question is clearly yes. For example card transactions made by ‘’telephone order’’ should be covered by the RTS since, in most cases such transactions use the same devices and the same channels as those used for e-commerce.
When compiling the RTS, particular attention should be paid to doing this in such a way as to minimise the risk that “Internet fraud” is displaced to less secure channels such as ‘’telephone order’’ or ‘’mail order’’.
“Inherence” elements based on behavioural patterns must be able to be recognised and used as one of the two factors which characterise strong authentication.
Such elements cannot be sufficient in themselves, but must be associated with another factor (either a “possession” element : something which I have or a “knowledge” element : something which I know).
It is essential to define and understand what is meant by “Inherence” elements : they are elements which are specific to an individual (for example biometric data) and /or their habits or environment (for example device fingerprinting).
In cases where the second factor is only the individual’s habits and/or their environment, then the PSP concerned must, from time to time and depending on the level of risk involved, be in a position to implement / request another authentication factor amongst the three which are defined in the Directive.
Although the answer to the question is an unqualified yes as far as the reception of a one-time password via an SMS message (e.g. 3D Secure with SMS), it is much more nuanced in the other two situations, depending on the mechanism used to protect the confidential code and that used to prevent manipulation of the biometric sensor.
More generally, the strength of an authentication mechanism relies not only on the presence of 2 out of 3 authentication factors but on the “characteristic that they are independent”, which remains a somewhat abstract concept.
A more tangible analysis shows that the strength of an authentication process also depends on :
- the way in which the process is implemented,
- the level of security of the mechanisms and processes which are used to protect the cryptographic elements used,
- the difficulty for such a process to be cloned,
- its synchronous or asynchronous nature,
- and so on , …
As a direct consequence of this, a given authentication solution which is based on two independent factors may in practice only be equivalent in strength, or even be weaker than another authentication solution which uses only one factor.
- for example, even though it would respect the properties of strong authentication, an authentication process which is based on the association of a software application which is poorly protected in a mobile device and a confidential code which has little protection, would nevertheless be less secure than a mechanism which uses an EMV chip card without a PIN code.
The aim of dynamically linking the transaction data to the user authentication process will exclude de facto the above-mentioned solutions from being recognised as providing strong customer authentication.
The preparation of the RTS should take into account that this would be prejudicial to the overarching objective of reinforcing the security of Internet payments since the above-mentioned solutions have proved to be effective in the fight against e-commerce fraud, and that some of them have been widely deployed and subject to substantial investment.
(i) For face-to-face payments, it is extremely important to preserve the high level of security currently provide by the “EMV Chip & Pin” technology.
The only acceptable exemptions could be :
- very low-value payments for which it is necessary to retain an authentication which cannot be replayed with a signature of the transaction data (EMV Chip or equivalent) but without necessarily requiring a second authentication factor (PIN)
- payment at limited and identified acceptance points (closed-loop) with prepaid and non-reloadable cards
(ii) Where card payments on the Internet are concerned, it is important to define the new exemption criteria so that non-replayable authentication solutions which do not strictly meet the definition of strong authentication, but which nevertheless are effective in the fight against fraud, can continue to be deployed.
n.b. As explained above in the reply to question 4, single factor non-replayable authentication solutions can in fact be more secure than certain solutions which meet the strong authentication requirements.
- authentication solutions which use a physical “possession” element (such as a card or a smartphone) within which is integrated a cryptographic mechanism with a sufficiently high level of security to be able to generate passwords which are either one-time or short-lived (i.e. able to be used only within a very limited lapse of time).
Such an approach would authorise the use of authentication solutions known as non-replayable, such as cards with an integrated display (dynamic visual cryptogram)
- the target level of security to be achieved, the levels of resistance to known attacks, …
- evaluation of the level of security of the different solutions (published evaluation methodology, criteria for the selection of laboratories so as to guarantee homogeneous capabilities of evaluation laboratories, …),
- accreditation of evaluation laboratories,
- certification of evaluation results,
- …
These additional targets are necessary so as to be able to guarantee an adequate and homogeneous level of security for the Personalised Security Credentials (PSC).
n.b. In the case where a mobile device is used in the authentication process, the PSPs cannot be held responsible for any intrinsic vulnerability linked, in particular, to the management of the network by the operator or the smartphones provided by the vendors.
- In fact the protection of the PSCs must be guaranteed throughout their life cycle (i.e. from generation to destruction).
Some types of PSC (such as confidential codes, passwords, …) are exposed when used to other potential threats in a variety of environments (acceptance systems, communications networks, acquirers, issuers, …).
- The confidentiality and integrity of the PSCs needs to be guaranteed from end-to-end in the before, during and after their use
n.b. : In cases where the PSCs used are not generated and used under the control of a PSP (which is the case for example of a SIM card for authentication using 3D Secure with an SMS), then the PSP cannot be held responsible for deficiencies in the PSCs.
The EBA must determine the goals and the market the means with which to achieve them.
- the protection of PSCs which are stored in a “secure element” (or in a software device) concerns only the “Issuing segment” (including the device itself),
- the protection of PSCs which are of the type confidential code, passwords, … concern not only the “Issuing segment”, but also, potentially, the “Acquisition segment” (merchants, acquirers) and exchanges between the two.
For example do the EBA requirements cover only the security of the communication channel, or do they also cover the security of the transmitted data (both data and format) ?
If the RTS is to cover the issue of standards correctly, one needs to distinguish between 3 types of payment : card payments, credit transfers and direct debits.
Where card payments are concerned, the work done by nexo (www.nexo-standards.org) and in particular the EPAS protocols meet the EBA’s requirements.
Nevertheless, time will be needed to wait until the market is mature and to objectively analyse the results of the initial experiences before deciding on and imposing definitive standards
The card payment sector is undergoing a technological revolution, it is important to adopt a flexible approach and wait before making choices which would probably prove to be obstacles to innovation and stifle market growth.
If the RTS is to cover the issue of standards correctly, one needs to distinguish between 3 types of payment : card payments, credit transfers and direct debits.
Where card payments are concerned, the work done by nexo (www.nexo-standards.org) and in particular the EPAS protocols meet the EBA’s requirements.
Nevertheless, time will be needed to wait until the market is mature and to objectively analyse the results of the initial experiences before deciding on and imposing definitive standards
The card payment sector is undergoing a technological revolution, it is important to adopt a flexible approach and wait before making choices which would probably prove to be obstacles to innovation and stifle market growth.
If the RTS is to cover the issue of standards correctly, one needs to distinguish between 3 types of payment : card payments, credit transfers and direct debits.
Where card payments are concerned, the work done by nexo (www.nexo-standards.org) and in particular the EPAS protocols meet the EBA’s requirements.
Nevertheless, time will be needed to wait until the market is mature and to objectively analyse the results of the initial experiences before deciding on and imposing definitive standards
The card payment sector is undergoing a technological revolution, it is important to adopt a flexible approach and wait before making choices which would probably prove to be obstacles to innovation and stifle market growth.
1. With respect to Article 97(1) (c), are there any additional examples of transactions or actions implying a risk of payment fraud or other abuses that would need to be considered for the RTS? If so, please give details and explain the risks involved.
General Remarks (the answer to question 1 follows)(i) As an introduction it is felt important to underline the fact that the revised Payment Services Directive (PSD2) deals with payment instruments in general, and that there are no articles in the Directive which deal specifically with a card or card transactions.
Nevertheless the Regulatory Technical Standards (RTS), which are perceived as being the decree for the “technical” implemention of the PSD2 as far as authentication is concerned, must distinguish between the different payment instruments covered by the Directive, and a minima, establish derogations from strong authentication for each one, according to identified levels of risk.
In practice it is extremely difficult, if not impossible, to establish generic rules which are applicable to all payment instruments. What is more, the importance that the use of cards for payments plays in Europe, both in terms of the number of transactions and their prominence in the European economy, would justify an approach whereby cards must be the subject of specific requirements, or even to have a minima explicit derogations applicable only for payments with a card.
(ii) A key consideration in developing the RTS where card payments are concerned is the distinction which must be made between the security requirements applicable to face-to-face payments and those which are needed for remote (card not present) payments.
- One undeniable reason for this is that for more than 20 years the European card industry has made considerable investments in the field of face-to-face payments through the widespread deployment of the EMV chip and pin standard, with the result that today’s face-to-face card payments in Europe already conform to both requirements for strong authentication and for the signature of the transaction data.
- When preparing the future RTS, care must be taken that this major accomplishment is neither compromised nor put in question, either through inadvertence or by insufficient analysis.
(iii) As far as payment with cards is concerned, the principal objective in implementing strong authentication is in the fight against fraud on the Internet.
- It should be noted that since the Internet is global, any approach to this question which would be restricted to or focuses only on Europe would have a limited impact, unless the Regulator insists, as far as cards are concerned, that authentication solutions should be “issuer-only” i.e. that they would only depend on the Payment Service Provider (PSP) and not on the “acquisition domain”.
(iv) The work carried out by the EBA concerning authentication is not only very important, but will, without any doubt, have a critical and permanent impact on the field of security and caution is recommended at this stage, before defining new standards in the area of security since :
- many means of payment address and the associated solutions and security architectures are going through a phase of development and innovation which at this point in time is very complex to analyse.
It is felt to be preferable to allow such solutions to become stable and the market to mature before defining new security standards.
- the PSD2 does not define cards as a means of payment, and so the meaning and interpretation of the questions posed by the EBA is very different from the standpoint of card payments or mobile payments than it would be for direct debits or credit transfers.
One example of this conundrum is “how should one define personalised security credentials and what do they represent ” when applied to payment cards ?
Such difficulties in interpretation have led to a great deal of incertitude in preparing replies to some of the questions posed by the EBA, and such incertitude illustrated by the above example is one of the key issues which needs to be addressed and clarified by the EBA when compiling the Regulatory Technical Standards.
REPLY TO QUESTION 1
The answer to this question is clearly yes. For example card transactions made by ‘’telephone order’’ should be covered by the RTS since, in most cases such transactions use the same devices and the same channels as those used for e-commerce.
When compiling the RTS, particular attention should be paid to doing this in such a way as to minimise the risk that “Internet fraud” is displaced to less secure channels such as ‘’telephone order’’ or ‘’mail order’’.
2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?
Where card payments are concerned, “possession” elements must always have a physical form, (for example a card or a smartphone). If such elements were allowed to be simply in the form of data, they would be very difficult to control by the Payment Service User (PSU) as suggested by in point 29 (ii) of the EBA discussion paper.3. Do you consider that in the context of “inherence” elements, behaviour-based characteristics are appropriate to be used in the context of strong customer authentication? If so, can you specify under which conditions?
Where payment cards are concerned the answer to this question is a resounding yes.“Inherence” elements based on behavioural patterns must be able to be recognised and used as one of the two factors which characterise strong authentication.
Such elements cannot be sufficient in themselves, but must be associated with another factor (either a “possession” element : something which I have or a “knowledge” element : something which I know).
It is essential to define and understand what is meant by “Inherence” elements : they are elements which are specific to an individual (for example biometric data) and /or their habits or environment (for example device fingerprinting).
In cases where the second factor is only the individual’s habits and/or their environment, then the PSP concerned must, from time to time and depending on the level of risk involved, be in a position to implement / request another authentication factor amongst the three which are defined in the Directive.
4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?
The question of the independence of the “possession” element with respect to the other authentication factors is indeed an important issue which must be addressed in the case of the use of a mobile device, where one of the key considerations is to ask the question “does the sole possession of a mobile device allow access to the confidential code which is stored in the mobile device, to receive a one-time password, or to retrieve biometric data ?”.Although the answer to the question is an unqualified yes as far as the reception of a one-time password via an SMS message (e.g. 3D Secure with SMS), it is much more nuanced in the other two situations, depending on the mechanism used to protect the confidential code and that used to prevent manipulation of the biometric sensor.
More generally, the strength of an authentication mechanism relies not only on the presence of 2 out of 3 authentication factors but on the “characteristic that they are independent”, which remains a somewhat abstract concept.
A more tangible analysis shows that the strength of an authentication process also depends on :
- the way in which the process is implemented,
- the level of security of the mechanisms and processes which are used to protect the cryptographic elements used,
- the difficulty for such a process to be cloned,
- its synchronous or asynchronous nature,
- and so on , …
As a direct consequence of this, a given authentication solution which is based on two independent factors may in practice only be equivalent in strength, or even be weaker than another authentication solution which uses only one factor.
- for example, even though it would respect the properties of strong authentication, an authentication process which is based on the association of a software application which is poorly protected in a mobile device and a confidential code which has little protection, would nevertheless be less secure than a mechanism which uses an EMV chip card without a PIN code.
5. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to dynamic linking?
As far as card payments are concerned none of the solutions aimed at making Internet payments secure which are currently available today (3D Secure with SMS, dynamic virtual card systems, cards with dynamic visual cryptograms, …) allow for the transaction data to be signed electronically.The aim of dynamically linking the transaction data to the user authentication process will exclude de facto the above-mentioned solutions from being recognised as providing strong customer authentication.
The preparation of the RTS should take into account that this would be prejudicial to the overarching objective of reinforcing the security of Internet payments since the above-mentioned solutions have proved to be effective in the fight against e-commerce fraud, and that some of them have been widely deployed and subject to substantial investment.
6. In your view, which solutions for mobile devices fulfil both the objective of independence and dynamic linking already today?
In the domain of internet payments, none of the solutions using a mobile device currently deployed today respects both the objective of “independence” and the objective of “dynamic linking of transaction data”7. Do you consider the clarifications suggested regarding the potential exemptions to strong customer authentication, to be useful?
Where card payments are concerned, the clarifications proposed in the EBA discussion paper for exemptions to strong authentication are useful but insufficient.(i) For face-to-face payments, it is extremely important to preserve the high level of security currently provide by the “EMV Chip & Pin” technology.
The only acceptable exemptions could be :
- very low-value payments for which it is necessary to retain an authentication which cannot be replayed with a signature of the transaction data (EMV Chip or equivalent) but without necessarily requiring a second authentication factor (PIN)
- payment at limited and identified acceptance points (closed-loop) with prepaid and non-reloadable cards
(ii) Where card payments on the Internet are concerned, it is important to define the new exemption criteria so that non-replayable authentication solutions which do not strictly meet the definition of strong authentication, but which nevertheless are effective in the fight against fraud, can continue to be deployed.
n.b. As explained above in the reply to question 4, single factor non-replayable authentication solutions can in fact be more secure than certain solutions which meet the strong authentication requirements.
8. Are there any other factors the EBA should consider when deciding on the exemptions applicable to the forthcoming regulatory technical standards?
The answer is YES : where card payments, and more specifically Internet payments, are concerned the RTS should include an exemption from strong authentication for the following type of authentication solution:- authentication solutions which use a physical “possession” element (such as a card or a smartphone) within which is integrated a cryptographic mechanism with a sufficiently high level of security to be able to generate passwords which are either one-time or short-lived (i.e. able to be used only within a very limited lapse of time).
Such an approach would authorise the use of authentication solutions known as non-replayable, such as cards with an integrated display (dynamic visual cryptogram)
9. Are there any other criteria or circumstances which the EBA should consider with respect to transaction risks analysis as a complement or alternative to the criteria identified in paragraph 45?
Although the Risk Analysis is sound, it could be improved if the constraints imposed by Personal Data Protection Authorities concerning the use of personal data were less stringent.10. Do you consider the clarification suggested regarding the protection of users personalised security credentials to be useful?
Although the clarifications put forward by the EBA are useful, it is also necessary to complete the high level security objectives with further objectives in the areas of :- the target level of security to be achieved, the levels of resistance to known attacks, …
- evaluation of the level of security of the different solutions (published evaluation methodology, criteria for the selection of laboratories so as to guarantee homogeneous capabilities of evaluation laboratories, …),
- accreditation of evaluation laboratories,
- certification of evaluation results,
- …
These additional targets are necessary so as to be able to guarantee an adequate and homogeneous level of security for the Personalised Security Credentials (PSC).
n.b. In the case where a mobile device is used in the authentication process, the PSPs cannot be held responsible for any intrinsic vulnerability linked, in particular, to the management of the network by the operator or the smartphones provided by the vendors.
11. What other risks with regard to the protection of users’ personalised security credentials do you identify?
The protection mechanisms of the Personalised Security Credentials (PSC) vary according to the specific nature of the PSC : if the PSC are in the form of cryptographic keys, then their security depends on the process in which such keys were generated, personalised (for example loading the keys in a “secure element”), stored and used (for example in a “secure element”).- In fact the protection of the PSCs must be guaranteed throughout their life cycle (i.e. from generation to destruction).
Some types of PSC (such as confidential codes, passwords, …) are exposed when used to other potential threats in a variety of environments (acceptance systems, communications networks, acquirers, issuers, …).
- The confidentiality and integrity of the PSCs needs to be guaranteed from end-to-end in the before, during and after their use
n.b. : In cases where the PSCs used are not generated and used under the control of a PSP (which is the case for example of a SIM card for authentication using 3D Secure with an SMS), then the PSP cannot be held responsible for deficiencies in the PSCs.
12. Have you identified innovative solutions for the enrolment process that the EBA should consider which guarantee the confidentiality, integrity and secure transmission (e.g. physical or electronic delivery) of the users’ personalised security credentials?
There are some new solutions for payment using a mobile device based on the EMV NFC standard which use high security mechanisms (Global Platform Standards) which, at the time of enrolment, guarantee the protection in terms of both confidentiality and integrity of the PSCs which are downloaded during the provisioning phase into the secure hardware elements or software within the mobile device.13. Can you identify alternatives to certification or evaluation by third parties of technical components or devices hosting payment solutions, to ensure that communication channels and technical components hosting, providing access to or transmitting the personalised security credential are sufficiently resistant to tampering and unauthorized access?
A trusted third party is indeed necessary for evaluation and certification of the different components and devices. It is important, however, to provide the market / stakeholders with a free choice as to who that trusted third party should be, and if appropriate be able to choose a State run entity.The EBA must determine the goals and the market the means with which to achieve them.
14. Can you indicate the segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur at present and in the foreseeable future?
This is a difficult question since the answer depends on the nature of the PSCs and the means which are used to protect them.- the protection of PSCs which are stored in a “secure element” (or in a software device) concerns only the “Issuing segment” (including the device itself),
- the protection of PSCs which are of the type confidential code, passwords, … concern not only the “Issuing segment”, but also, potentially, the “Acquisition segment” (merchants, acquirers) and exchanges between the two.
15. For each of the topics identified under paragraph 63 above (a to f), do you consider the clarifications provided to be comprehensive and suitable? If not, why not?
So as to eliminate any ambiguity, the EBA should describe in more detail the functional and security expectations and requirements for the secure open standards of communication.For example do the EBA requirements cover only the security of the communication channel, or do they also cover the security of the transmitted data (both data and format) ?
16. For each agreed clarification suggested above on which you agree, what should they contain in your view in order to achieve an appropriate balance between harmonisation, innovation while preventing too divergent practical implementations by ASPSPs of the future requirements?
ANSWERS TO QUESTIONS 16, 17 and 18 are grouped together as followsIf the RTS is to cover the issue of standards correctly, one needs to distinguish between 3 types of payment : card payments, credit transfers and direct debits.
Where card payments are concerned, the work done by nexo (www.nexo-standards.org) and in particular the EPAS protocols meet the EBA’s requirements.
Nevertheless, time will be needed to wait until the market is mature and to objectively analyse the results of the initial experiences before deciding on and imposing definitive standards
The card payment sector is undergoing a technological revolution, it is important to adopt a flexible approach and wait before making choices which would probably prove to be obstacles to innovation and stifle market growth.
17. In your opinion, is there any standards (existing or in development) outlining aspects that could be common and open, which would be especially suitable for the purpose of ensuring secure communications as well as for the appropriate identification of PSPs taking into consideration the privacy dimension?
ANSWERS TO QUESTIONS 16, 17 and 18 are grouped together as followsIf the RTS is to cover the issue of standards correctly, one needs to distinguish between 3 types of payment : card payments, credit transfers and direct debits.
Where card payments are concerned, the work done by nexo (www.nexo-standards.org) and in particular the EPAS protocols meet the EBA’s requirements.
Nevertheless, time will be needed to wait until the market is mature and to objectively analyse the results of the initial experiences before deciding on and imposing definitive standards
The card payment sector is undergoing a technological revolution, it is important to adopt a flexible approach and wait before making choices which would probably prove to be obstacles to innovation and stifle market growth.
18. How would these requirement for common and open standards need to be designed and maintained to ensure that these are able to securely integrate other innovative business models than the one explicitly mentioned under article 66 and 67 (e.g. issuing of own credentials by the AIS/PIS)?
ANSWERS TO QUESTIONS 16, 17 and 18 are grouped together as followsIf the RTS is to cover the issue of standards correctly, one needs to distinguish between 3 types of payment : card payments, credit transfers and direct debits.
Where card payments are concerned, the work done by nexo (www.nexo-standards.org) and in particular the EPAS protocols meet the EBA’s requirements.
Nevertheless, time will be needed to wait until the market is mature and to objectively analyse the results of the initial experiences before deciding on and imposing definitive standards
The card payment sector is undergoing a technological revolution, it is important to adopt a flexible approach and wait before making choices which would probably prove to be obstacles to innovation and stifle market growth.