Response to discussion on RTS on strong customer authentication and secure communication under PSD2

Go back

1. With respect to Article 97(1) (c), are there any additional examples of transactions or actions implying a risk of payment fraud or other abuses that would need to be considered for the RTS? If so, please give details and explain the risks involved.

The addition of contact information, authorising new users or similar. For example, we have seen an increase in fraud recently where criminal individuals contact banks or payment firms by phone and request the addition of new users or email addresses to the system of existing accounts. These email addresses are then used as a means to reset passwords or to add a fraudster as a trusted user. The references made by the EBA are predominantly concerned with dealing with security around payments, and not around general account security, which still remains weak.

2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?

The issue with the use of “data”, particularly static data, is that it can all too easily be compromised. Once it is compromised (for example using date of birth or a PIN number) it sometimes cannot change. The phrase “potentially data controlled only by the payment services users” is an impossible thing to achieve as users will often inadvertently share data, or be coaxed into providing it via social engineering hacks and fraud. A physical one-time pass which produces a single use data element is safest, and prevents the user from being able to provide that to a third party, particularly when these codes are time resticted.

3. Do you consider that in the context of “inherence” elements, behaviour-based characteristics are appropriate to be used in the context of strong customer authentication? If so, can you specify under which conditions?

Behaviour based characteristics are suitable on a range of devices, but have severe flaws. The data input and behaviours of a user can be easily mapped, either through keystroke loggers or recording software on PC’s. These can easily be scripted and replicated. It should however be noted that for low value, repeat payments to an existing beneficiary, such a low grade security feature may be suitable. However with the prevalence of mobile payments, the bulk of metrics (such as keyboard use and mouse movements) are lost, so whilst this may be a useful feature for online banking, its relevance is limited on certain platforms.

4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?

No comment.

5. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to dynamic linking?

Overseas transactions, taking place from outside of the UK would be the primary issue. The reliance on SMS networks means that card transactions taking place when individuals travel to more remote places, or to locations where cell coverage and power are poor, or when they are unwilling to reveal their cell phone, may reduce the usage of payment cards overseas. Other issues may exist in the ability to provide services to users with disabilities, such as those unable to easily copy and remember codes inside of the required time frames.

6. In your view, which solutions for mobile devices fulfil both the objective of independence and dynamic linking already today?

Yubikey devices (which can be independent from the phone.) These use NFC to to validate against a phone and confirm the user has the physical object. These generate a one-time pass which can be time stamped. For example the code they generate will be valid only for the period of the transaction, it would not be valid later for additional transactions. Specific keys would be required by individual users, to ensure that keys could not be used by other individuals.

7. Do you consider the clarifications suggested regarding the potential exemptions to strong customer authentication, to be useful?

Low-risk transactions based on a transaction risk analysis (taking into account detailed criteria to be defined in the RTS) - this needs definition, firms should already be considering payment risk as part of their fraud monitoring systems, if these systems were any good we wouldn’t have a fraud risk to prevent!

We believe these are useful, but note that “low value” transactions from PSD 2 are €30. We would like to see either a clarified sterling amount, and would also question if this should be higher. Contactless, unverified transactions are available up to £30, I feel this level should at least be maintained.

8. Are there any other factors the EBA should consider when deciding on the exemptions applicable to the forthcoming regulatory technical standards?

A shift in burden for fraud losses, such as those maintained by Amazon in which Amazon accept all fraud losses, means that users are not inconvenienced when their card is stolen. Firms should be able and willing to accept liabilities and losses should they wish to have reduced validations, where they believe that this will substantially inconvenience the customer.

9. Are there any other criteria or circumstances which the EBA should consider with respect to transaction risks analysis as a complement or alternative to the criteria identified in paragraph 45?

Geography of the customer at the time of transaction, if, for example, this is well outside of a standard geo-fence or range of the customer's normal operating area. Frequency and velocity of transactions, whether a small transaction has just taken place on the account prior to full trade (small scale test transactions)

Beneficiary information. The proposed metrics are heavily based upon the buyer, and not the seller or processor of transaction. Transaction risk could consider the details of the seller, levels of fraud rates and such which highlights if this is a higher risk beneficiary which is likely to present a great fraud risk, This would require that merchant activity be reviewed and fed back, but the risk of merchants, such as those identified in the UK Money Laundering Threat assessment (e.g. sellers of Prepaid cards) may present a greater risk.

10. Do you consider the clarification suggested regarding the protection of users personalised security credentials to be useful?

No comment

11. What other risks with regard to the protection of users’ personalised security credentials do you identify?

No comment

12. Have you identified innovative solutions for the enrolment process that the EBA should consider which guarantee the confidentiality, integrity and secure transmission (e.g. physical or electronic delivery) of the users’ personalised security credentials?

No comment.

13. Can you identify alternatives to certification or evaluation by third parties of technical components or devices hosting payment solutions, to ensure that communication channels and technical components hosting, providing access to or transmitting the personalised security credential are sufficiently resistant to tampering and unauthorized access?

Firms should be required to offer Bug Bounty or similar, to encourage hackers to probe their systems. Hackers and other groups will do this naturally, and when they find a gap exploit this for profit. Offering a reward to such groups means that they can profit from their activities without compromising security. They are going to do it anyway, you might as well get them to work for you rather than against you.

14. Can you indicate the segment of the payment chain in which risks to the confidentiality, integrity of users’ personalised security credentials are most likely to occur at present and in the foreseeable future?

With the user, either through social engineering hacks, loss of devices or similar.

15. For each of the topics identified under paragraph 63 above (a to f), do you consider the clarifications provided to be comprehensive and suitable? If not, why not?

No comment.

16. For each agreed clarification suggested above on which you agree, what should they contain in your view in order to achieve an appropriate balance between harmonisation, innovation while preventing too divergent practical implementations by ASPSPs of the future requirements?

No comment.

17. In your opinion, is there any standards (existing or in development) outlining aspects that could be common and open, which would be especially suitable for the purpose of ensuring secure communications as well as for the appropriate identification of PSPs taking into consideration the privacy dimension?

No comment.

18. How would these requirement for common and open standards need to be designed and maintained to ensure that these are able to securely integrate other innovative business models than the one explicitly mentioned under article 66 and 67 (e.g. issuing of own credentials by the AIS/PIS)?

No comment.

19. Do you agree that the e-IDAS regulation could be considered as a possible solution for facilitating the strong customer authentication, protecting the confidentiality and the integrity of the payment service users’ personalised security credentials as well as for common and secure open standards of communication for the purpose of identification, DP on future RTS on strong customer and secure communication under PSD2 31 authentication, notification, and information? If yes, please explain how. If no, please explain why.

No comment.

20. Do you think in particular that the use of “qualified trust services” under e-IDAS regulation could address the risks related to the confidentiality, integrity and availability of PSCs between AIS, PIS providers and ASPSPs? If yes, please identify which services and explain how. If no, please explain why.

No comment.

Name of organisation

Association of Foreign Exchange and Payment Companies

Please select which category best describes you and/or your organisation.


If you selected ‘Other’, please provide details

We are an association of authorised payment institutions and electronic money institutions

Please select which category best describes you and/or your organisation.

[Other "]"

If you selected ‘Other’, please provide details

We are an association of authorised payment institutions and electronic money institutions