Yes, we mostly agree, with the following exceptions:
• Regarding the password policy criteria, by not allowing repeatable characters within passwords does not bring a significant benefit to the overall security level, considering that other more efficient controls are in place in order to ensure strong password selection (user lockout after N unsuccessfull login attempts, password length and special characters use, periodic password change, etc.). This control will reduce the password keyspace. Therefore we propose that this requirement should be eliminated.
• Additional details are required for Art. 2 (4) - the authentication code generated in accordance with Article 1 shall be specific to the total amount of the batched electronic payment transactions and to the payees of the batch of transactions considered collectively.
Could you please explain what is your understanding of the payees of the batch of transactions considered collectively. What is/are the elements that should be considered in this exact scenario as part of the dynamic linking process?
• Additional details must be included in Art. 6(3).b - mechanisms to ensure that the software or device have not been altered by the payer or by a third party.
Software:
- Does this concern the device’s operating system?
- Does this concern the application or process that handles the respective security function? (2 factor authentication)
Device:
- Does “device” translate to the hardware device (ex: mobile phone, tablet, etc.)?
If it does, then the device is not under the control or administration of the PSP, thus this environments’ integrity cannot be guaranteed by the PSP.
Yes, we fully agree and we understand that the authentication and the transaction authorisation may take place at the same time as long as SCA is ensured.
No, we consider the enumeration to be sufficient.
Yes, we understand that the exemptions mentioned are also applicable for dynamic linking process, as this process is executed in close relation with the strong authentication.
No, we don't have any concerns.
Related to art. 8(1,a,ii), rather than using “one month”, it should be “30 days”.
Yes.
Art. 19 (4) - Account servicing payment service providers shall make sure that the technical specification of their communication interface is documented, the documentation made available for free and publicly on their website.
We don’t consider to be a good idea to make this information public to everyone, as this could be considered a security risk. This information should be disclosed only based on a contractual agreement between the PSP and the interested parties (PISP, AISP, etc).
ISO 20022 is a general standard, we consider that a more detailed approach should be used if the desire result is to have a common understanding and a “unified” implementation. Otherwise, each organisation could use different ISO 20022 elements in order to satisfy the requirement but this approach would not achieve interoperability as desired by the RTS. A supervisory body should coordinate and regulate this aspect (either local or central).
It should be stated clearly whether web site certificates shall be used in communication towards end users using their computers, tablets and mobile phones and/or be used in communication between PSPs.
Yes, we agree, but there should be also a limit on the amount of data that should be returned to the AISP, based on his query.