Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
aa) Terminal-based payment transactions at the point of sale
It must be highlighted that a material difference exists between the IT security set-up of online credit transfers and payment transactions initiated at the point of sale (POS) through card payments.
In the case of online credit transfers, any enhanced IT security requirement may be centrally adopted at the bank’s data processing center within one centralized IT platform under the responsibility of a bank or its IT data processing provider.
In the case of payment transactions at POS terminals through card payments, however, any required change in the IT security requirements is a completely decentralized process, which requires interactions with many thousands of payment terminals deployed at various locations widely spread all over the continent. If changes in the IT security set-up of POS terminal infrastructure will be required under the RTS, consequently, it must be recognized that – contrary to credit transfer - a long-lasting, decentralized upgrading process usually requires on-site upgrading activities, including possible exchange of terminal infrastructure which can usually take many years. The IK is of the opinion that the world-wide recognized EMV chip standard fully complies with SCA requirements as defined in the PSD-II. If, however, compared to the existing EMV chip standard, additional technological security requirements within the POS terminal infrastructure will be imposed by EBA under the RTS, such additional technical requirements within a POS transaction environment, consequently, can impossibly be implemented within a short 18 month period. This very essential difference between POS payment transactions and online credit transfer transactions should therefore diligently be considered.
bb) Electronic Payments at the POS
The IK welcomes clarifications provided by EBA, such as laid down in sect. 17 of EBA’s reasonings on the draft RTS with respect to payment instruments being in or out of scope of SCA requirements according to art. 97 para. 1 (b) PSD-II.
In this respect, the IK welcomes any further clarification by EBA, potentially in the upcoming recitals of the RTS, that also payments initiated at the POS with the payer’s signature on electronic signature pads should be clearly viewed as being out of scope of SCA-regulated electronic payment transactions according to art. 97 para. 1 PSD-II. The consent of the payer in this case is clearly expressed by use of a pencil in handwriting and should therefore not be treated as an electronic payment transaction.
cc) Art. 74 para. 2 PSD-II
EBA emphasized its understanding that art. 74 para. 2 PSD-II should only be understood as a transitional clause until the application date of the RTS.
The IK disagrees with this understanding and does not recognize any element in the PSD-II and its historical legislative development which limits the applicability of art. 74 para. 2 PSD-II to a transitional period only.
b) Art. 1 RTS and electronic credit transfers
The IK does not agree with EBA’s draft in art. 1 with respect to authentication procedures and authentication codes as being applicable for all electronic payment transactions “in accordance with art. 97 (1) PSD-II”.
aa) Authentication code?
First of all, the meaning of the “authentication code” – even in the light of art. 1 para. 2 RTS – has been left unclear in the draft RTS. Particularly, a clarification is required, whether an “authentication code”
• is meant to be a “one-time password”, transmitted in the course of an electronic payment transaction to a payer in order to authenticate a legitimate use of a possession instrument, like a mobile device, or
• whether the “authentication code” is meant to be the complete “internal” data set consisting of all transaction data and security credentials used for authentication of the transaction and as transmitted from the payee to his payment service provider, the acquirer in case of a card-based payment.
Particularly EBA’s presentation held at the public hearing in London, slide 15, lead to some confusion, since the terms “authentication code” and “one-time password (“OTP”) are mentioned alternatively, which reads like being two separate items.
bb) Art. 1 RTS drafted for electronic credit transfers
If EBA understands the “authentication code” as a one-time password being transmitted to the payer in order to further provide evidence of a legitimate use of a possession instrument, like a mobile device, it must be consequenty acknowledged that the entire art. 1 RTS and the described authentication procedure only make sense for online credit transfer transactions.
cc) Undisputed high security level of EMV-chip standard
According to EBA’s hearing statements, the world-wide deployed EMV chip-based card payment standard is recognized as a highly secure standard which fulfills SCA requirements. Within the EMV standard, however, no authentication code at all is applied, but – as a model standard for an SCA example – a pair of elements consisting of knowledge of the personal identification number and the possession of the payment card with an EMV chip, is applied at a POS terminal.
All further requirements of the authentication procedure, as laid down in art. 1, do not at all fit to the standard EMV chip-based payment process in a POS environment. This does not only hold true for the non-existing use of authentication codes (art. 1 (2) RTS) within the EMV-standard, but also with respect to the further requirements, as laid down in art. 1 para. 3 RTS.
EBA should consequently feel encouraged to clarify within a separate article of the RTS that the existing EMV standard, as it has been widely implemented all over the EU, is a specific authentication procedure, completely complying with SCA requirements, as laid down in art. 4 no. 30 PSD-II.
dd) Authentication codes for remote possession authentication
The “authentication code” within the meaning of a one-time password only makes sense in cases where the SCA element of “possession” cannot easily be identified in remote payment transactions and where the transmission of a one-time password to the payer serves as a means to provide evidence that the payer does not only dispose of the element “knowledge” while applying his PIN, but is also in possession of a device which supports the authentication of a payment transaction initiated by such payer. The proof of evidence of this “possession element”, however, is not at all required at a POS terminal transaction, which evidently always requires the submission of the physical payment card and the card reader communication within the POS terminal. Consequently, any references to authentication codes or one-time passwords to card-based payments would compromise the entire EMV chip-based payment set-up – contrary to statements heard at the EBA hearing.
c) Preventive Mechanisms, Art. 1 para. 3 point e) EBA’s Draft
aa) General remarks
In general terms, the IK does not agree with the establishment of additionally required mechanisms for a strong customer authentication in addition to the definition of the strong customer authentication procedure, as defined in art. 4 no. 30 PSD-II. The requirement of preventive, detective and blocking mechanisms required prior to the PSP’s final authorization are not required under art. 4 no. 30 PSD-II, but should only be used as alternative and example criteria for the exemptions from the SCA requirement based on a risk analysis, as stipulated in art. 98 para 3 (a) PSD_II and further outlined below, sect. 2a.. Furthermore, those requirements inhibit POS-offline transactions (see bb) and include required elements, which cannot be identified in the course of an authorization process (see cc):
bb) Discrimination of offline transactions
The draft art. 1 RTS in its entirety, particularly the additional requirements for preventative mechanisms according to art. 1 para. 3 point e) RTS would in fact lead to a prohibition of “offline transactions” initiated at a POS terminal through card-based payment transactions. Offline transactions are processed in many EU countries, where either the PIN authentication of the cardholder occurs offline at the POS terminal infrastructure – with an amount-related online authorization – or also occurs as a complete offline transaction, where all authentication and authorization mechanisms occur at the POS, particularly for low value card payment transactions. In consideration of the requirements, as set up by art. 1 para. 3 RTS, any offline transactions at POS terminals would be prohibited, which would in fact cause a dramatic breakdown of card-based POS payments in many EU countries.
As already stated, the entire art. 1 RTS does not at all fit to the notion of a POS terminal payment transaction through payment cards and particularly compromises the existing EMV card payment standard. As furthermore outlined above, any required change to existing POS terminal security standards will not at all be implementable within a two year period, due to the required decentralized upgrading or substitution activities required.
The IK therefore strongly urges EBA to clarify with a separate article, specifically dedicated for POS card-based payments that the existing EMV chip card-based payment standard is – in abstract legal appropriate language – in compliance with SCA requirements.
cc) Information about the customer device used
The further requirement to also take “information about the customer device used” into account (art. 1 para. 3 point e) iv) EBA’s Draft) is a data set which is from a technological perspective not identifiable for an APSP or a credit card issuer. In online transactions, it is not identifiable for PSPs, whether an online session occurs through a mobile device, a tablet or a standard PC device. Consequently, the requirement to identify and assess the device used will make strong customer authentication procedures technologically impossible.
EBA suggests in its draft RTS to understand the application of SCA under art. 97, 98 PSD-II as a strict mandatory principle, with only rare cases of exemptions as defined by an exhaustive list of exemptions.
The IK has a differing understanding of art. 97, 98 PSD-II and does not see considerations related to individual risk management tools applied by PSPs, to the objective to ensure user-friendly payment methods and to promote innovative means as appropriately balanced against the objective to increase security standards for electronic payments. According to the IK’s understanding the security level is one out of different objectives, but not strictly defined as the predominant principle under art. 98 para. 2 PSD-II. Particularly, art. 98 para. 2 (a) calls for definitions of effective and risk-based requirements.
Furthermore art. 98 para. 3 point a) PSD-II states that the exemptions from the SCA application shall be based especially on the level of risk involved in the service provided.
Corresponding to this risk-based approach Chapter 3.2.2/No. 39 of EBA’s Draft refers to recital 96 PDS-II stating that “the security measures should be compatible with the level of risk involved in the payment service. In order to allow the development of user-friendly and accessible means of payment for low-risk payments, such as low value contactless payments at the point of sale, whether or not they are based on mobile phone, the exemptions to the application of security requirements should be specified in regulatory technical standards (…).” The term “such as” emphasizes that contactless low value payments are merely one category of possible low risk transactions to be considered for exemptions to SCA – but not the only one.
Furthermore, the IK asks whether it is not advisable to first elaborate on new fraud experience and statistics gathered under the existing EBA security requirements for internet payments. The existing PSP practice under these EBA guidelines – as implemented in Germany by BaFin through the “MaSI” circular letter (Minimum Requirements for the security of internet payments) – will show reduced fraud and misuse rates with a broad application of SCA but also with distinct and risk-oriented alternative means of risk analysis and risk management tools. With the existing statistics being taken into account, it will be highly questionable whether a strict application of SCA must be an obligatory principle and reduction of exemptions to a limited number of cases is the right way forward in order to enhance electronic payments with all objectives in art. 98 para. 2 PSD-II being considered.
As an alternative regulatory approach EBA should also encourage supervisors to assess fraud rates based on performance of regulated institutions and as part of the audit review as stated in art. 7 RTS, which should be achieved through both the application of SCA as well as individual risk-based models and technology, applied by PSPs, but under the regulators’ scrutiny with a view to comply with established fraud rate levels.
EBA’s approach, however, to stipulate a strict obligation to apply SCA with almost no exceptions for online payments will trigger substantially increased costs for online merchants and will hamper the emergence of new online solutions and payment methods and, lastly, any e-commerce development of the European market. On the other hand, it will be highly questionable whether the objective to increase the security standard will be achieved – compared to existing security measures and risk management standards, including SCA, but not mainly limited to SCA. As outlined by participants at the EBA hearing, well-established and sophisticated risk management methods of merchants, acquirers, issuers and card payment schemes will become more or less obsolete and are judged as ineffective – without any empirical evidence.
As already mentioned in IK’s opinion on EBA’s Discussion Paper EBA/DP/2015/03 innovative solutions for online business with the use of credit cards with so-called “token” as a one-time payment authentication data might enable payments for consumers and merchants in a much easier and more secure way and should not be excluded from scratch in the ambit of strict SCA obligations. The same applies for HCE-requirements for NFC-payments and e-IDAS token specifications as contributed by the German and French IT security agencies BSI and ANSSI, which take the development of token-based solutions for authentication processes into consideration. Consequently, in terms of discussing transaction or product risk analysis as basis for low-risk transactions or processes, EBA should feel encouraged to also allow payment services providers to apply upcoming new technologies, if in the PSP’s transaction risk assessment the use of those technologies also qualifies as low-risk transactions.
The IK consequently does not agree with EBA’s Draft insofar as transaction-risk analysis performed by the PSP to exempt low-risk transactions from SCA are not proposed. While finding a difficult balance between the different interests, as stated in art. 98 para. 2 PSD-II, EBA’s draft RTS and additional EBA hearing statements show a predominant preference to only grant exemptions on a highly restrictive level, based on the assumption that this approach provides for an increased level of user security – although art. 98 para. 2 (a) PSD-II merely calls for a security level/standard that “ensure(s) an appropriate level of security for payment service users and payment service providers.
The other aspects, as emphasized in art. 98 para. 2, however, particularly
• a fair competition among all payer services providers,
• ensuring of a technology and business model neutrality and
• the development of user-friendly, accessible and innovative means of payment
do not seem to be addressed in an appropriate manner.
The current draft RTS, however, provides preference and support for certain payment models, but accepts competition disadvantages to others, particularly to card payments.
Finally, well established payment instruments with a negligible level of risk involved due to a very low transaction risk implied, will be required to apply more cost-intensive security features, without obtaining a considerable value in terms of user security, which particularly holds true for payment instruments for corporate users.
As a potential further exempting provision in art. 8, the following criteria for a risk based analysis should allow PSPs to exempt certain electronic payment transactions from the SCA requirement:
Art. 8 para. 2 (e-new): “The payee’s payment service provider for transactions initiated by or through a payee in the context of a remote card-based electronic payment transaction applies a transaction risk analysis which should be based on models which are:
(a) based at minimum on comprehensive real-time risk analysis taking into account one or more of the following criteria: (i) an adequate transaction history of the payee to evaluate typical behavioral patterns or of the payer to evaluate its typical spending behavioral patterns, (ii) information about the customer device used or where applicable (iii) a detailed risk profile of the payee,
(b) proven to be efficient for fighting against fraud and audited according to Article 7,
(c) are continuously reviewed according to fraud rates and improved in order to address new fraud scenarios and new technological threats.”
As a general consideration, EBA should therefore feel encouraged to re-consider its approach and open exemptions for PSPs also based on the application of aforementioned risk-based models, subject certainly to ongoing payment services regulation and supervision.
b) Fair competition within limited network payments
Art. 3 (k) PSD-II provides for a comprehensive exclusion of payment services from the scope of the PSD-II, if only a limited range of goods and services may be purchased through the use of a certain payment instrument or in other cases of a limited usability of the payment instrument.
Consequently, a series of payment services providers who issue qualified instruments accordingly, based on this limited network exemption, will not at all be regulated under PSD-II, including a non-applicability of SCA requirements for their limited use payment instruments.
The IK is of the opinion that regulated payment institutions under the PSD-II should still be entitled to offer limited range payment instruments on a level playing field with aforementioned competitors and should not be subjected to the requirements of SCA for those payment instruments with limited use - only due to their regulatory status as payment institution. As EBA’s representatives correctly stated on the occasion of the EBA hearing in London, the SCA regulation clearly follows a functional approach and does not consider any institutional status of the payment services provider. Hence, also payment services which would not qualify as regulated services according to art. 3 (k) PSD-II, even if occasionally provided by regulated payment institutions, should be out of scope of SCA requirements in order not to distort competition.
c) Point of sale transactions, art. 97 (1) PSD-II
Recital 95 PSD-II certainly mentions contactless payments as one example (“such as”) of a transaction type, which is presumed to be provided on a lower risk base. Recital 95, however, does not provide for a conclusive list of cases, but for illustrative examples.
The IK does not agree with EBA’s proposal to treat contactless POS payments differently compared to standard, contact-based card terminal payments at the point of sale. Here, awareness must be particularly given to circumstances of POS situations with a massive traffic of payment services users in order to pay quickly and conveniently, particularly as a very prominent example payment booths at highway toll stations, which certainly require a high level of speed for electronic payment transactions in order to avoid inacceptable traffic situations on highways. It is certainly fair to promote contactless payments at the point of sale as an innovative payment means. This, however, should not be done with an avoidable and cost-intensive disadvantage of existing and well established payment methods at the point of sale without requirement of a strong customer authentication. Since security aspects may be equally assessed in both methods (contactless and contact-based terminal payments), no reason for a distinction is evident to exclude contact-based payments at the point of sale from the exemption clause in art. 8 (1) (b) RTS.
d) Exemption of corporate payment instruments – art. 61 PSD-II
The IK does not agree with EBA’s approach to exclude any further type of low-risk payment transaction from the catalogue of exemptions in art. 8, although clear evidence may be provided for certain low-risk transactions. This particularly applies for the example of payment instruments exclusively issued to large corporates, in order to facilitate international travel management, use of purchase cards and other means of institutional procurement requirements.
With respect to corporate payment users, the guiding distinction in art. 61 PSD-II must also be taken into account. While a certain interaction between the SCA requirements and the applicability of art. 74 PSD-II is evident, particularly also with respect to a limited amount of € 50 for chargeable risk to payment services users (if consumers), the PSD-II decision in art. 61 para. 2 must also be considered, which states that in payment services relationships with commercial clients the entire art. 74 PSD-II – consequently, including the risk amount limitation – may be abrogated. This clause would be undermined, if a conclusive list of exemptions in art. 8 excluded the consideration of low-risk transactions with corporate entities. As the legislator accepts payment services providers to negotiate specifically designed payment services conditions with commercial entities, it should also be accepted to understand a lower level of risks associated with payment transactions included within commercial use.
This particularly applies to corporate card payments with the following additional remarks:
For commercial businesses it is customary to make use of so-called “virtual cards” in its in-house travel management for its employees. Centralized booking of a large volume of travel services, such as flight, hotel, car rental bookings for business travelling of employees applies card payments in order to quickly arrange for guaranteed booking of a massive number of transactions. This is not possible through wire transfer, since the reservation in fact requires immediate payment certainty of the airline, car rental company etc.
Cards applied for those services are usually not issued physically, because they are not used at an POS, but “virtually” by issuing card numbers to corporate companies. The underlying payment transaction, however, is still a card payment transaction.
Those card payments by corporate users are secure and highly-efficient in corporate travel management. They have not even been covered by ECB’s scrutiny of card fraud in its recent ECB card fraud report 2015, since risk of fraud is materially lower compared to other payment instruments. The reason for reduced risk in this area is based on a series of facts. Those cards are additionally secured by IT-platforms and encoded access tools for the travel department managers, they have – instead of consumer cards – a limited time of usability and may only be used for limited travel purposes.
EBA’s requirements to subject even those card instruments to a broad application of SCA requirements would materially slow down and decrease efficiency in corporate travel management, with increased costs involved, but without gaining a different level of security.
Consequently, also in consideration of art. 61 para. 2 PSD-II, EBA should feel encouraged to also grant exemptions for issuers of corporate card payment instruments to commercial customers, if risk-based analysis of issuers show a materially decreased level of risk of fraud.
e) Limited networks exemption
If – contrary to IK’s position above, a) – EBA understands PSD-II in a manner that payment instruments with a very limited scope of use within the meaning of art. 3 (k) PSD-II shall not be subject to SCA requirements for unregulated PSPs, but shall in general be in-scope of SCA requirements for regulated payment institutions, EBA should feel encouraged to provide for an explicit exemption of those payment instruments from the application of SCA in order not to distort competition between regulated and unregulated PSPs. With this approach, EBA would consequently follow a path of a “functional approach” requiring “same rules for same services”.
f) No discrimination of card payments against credit transfer
EBA’s approach in art. 8 para. 2 (a) and (b) to exempt electronic credit transfers from SCA requirements in case of “white listings” of trusted beneficiaries (a) or in cases of a series of credit transfers with the same amount and the same payee is certainly an appropriate continuation of the regulatory practice as outlined by EBA’s guidelines on the security of internet payments as of 14.12.2014 and as indicated in EBA’s Discussion Paper EBA/DP/2015/03 on future Draft RTS on strong customer authentication and secure communication.
The same reduced level of risk, however, as for aforementioned credit transfer transactions also applies for credit card payments, where credit card users with frequent interactions to well-known and trusted merchants will have an interest of easy and user-friendly credit card payments to white listed trusted merchants like it is the case in credit transfers. This is apparently the case where credit card users subscribe to certain regular and ongoing services of newspapers, music or video download/streaming at dedicated online plattforms which are frequently visited by users. Consequently, the same use cases as exempted for credit transfers do also play an important and competitive role for online card payments.
No evidence is given why card payments should be discriminated in the same use cases with a comparable or even reduced level of risk compared to credit transfers. Consequently, EBA should feel encouraged to also include card payments in the explicit exemptions of art. 8 para. 2 (a) and (b).
g) Low value transactions
The exemption in art. 8 para. 2 (d) for remote electronic transactions with an individual spending limit of 10 € again does not strike an appropriate balance between security objectives on the one hand and the interests of user-friendly payment tools and the promotion of innovative means of payments.
A broad series of innovative online services will be put at risk with their business models, if even low value transactions above 10 € comprehensively require SCA application which will materially increase costs for merchants with an increased risk of transaction abandonments by online users even for low risk transactions.
The IK prefers to encourage EBA and the competent local regulators to first elaborate on new fraud experience and statistics gathered under the existing EBA security requirements for internet payments. This will show that even in low value cases of up to € 50 no regulatory need will be evident to completely subject all remote payment transactions over a € 10 threshold to SCA requirements. Existing risk management analysis and mitigating processes applied by both issuers and acquirers do already provide for an appropriate security level while at the same time enabling innovative online businesses to develop at a low cost level – but still with reduced security risk for card users with user-friendly usability.
Consequently, the IK does not agree with the extremely low threshold of € 10 per transaction in art. 8 para. 2 (d) and suggests to apply € 50. Furthermore, regulators should first analyse current security and fraud results under already existing regulatory security requirement schemes in order to obtain sufficient empirical evidence that a further lowering is really seen as an ultima-ratio measure."
In line with the outsourcing provisions, as stipulated in art. 19 para. 6 PSD-II, it is of predominant importance for the payment services market to maintain the possibility to delegate certain operational functions to outsourcing service providers, including, but not limited to the outsourcing of authentication services (to e.g. mobile network operators or external data processing centers), as indicated in art. 12 RTS.
In order to clarify that the performance of delegated functions to third parties is also recognized as “environments under the payment service provider’s responsibility”, the IK suggests to further include the following language in the last sentence of art. 12 sent. 3 (a):
“The environments under the payment service provider’s responsibility include but are not limited to the payment services provider’s premises, the internet environment provided by the payment services provider or in other similar secure websites, authentication functions delegated to a service provider, automated teller machine (ATM) services;”
b) Delivery of personalized security credentials through outsourced service providers
In practice, authentication software delivered to the payment services user is in most cases delivered through outsourcing service providers of the payer’s payment service provider, who act under those PSP’s responsibility and in line with delegated function regulation pursuant to art. 19 para. 6 PSD-II. Consequently, art. 13 sent. 3 (b) RTS should preferably include the following clarifying language:
“(b) mechanisms ensuring that the authentication software delivered to the payment services user via the internet has been digitally signed by the payment services provider or by delegated service providers acting under the responsibility of the payment services provider”;
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
a) Initial Remarks on electronic payments and SCAaa) Terminal-based payment transactions at the point of sale
It must be highlighted that a material difference exists between the IT security set-up of online credit transfers and payment transactions initiated at the point of sale (POS) through card payments.
In the case of online credit transfers, any enhanced IT security requirement may be centrally adopted at the bank’s data processing center within one centralized IT platform under the responsibility of a bank or its IT data processing provider.
In the case of payment transactions at POS terminals through card payments, however, any required change in the IT security requirements is a completely decentralized process, which requires interactions with many thousands of payment terminals deployed at various locations widely spread all over the continent. If changes in the IT security set-up of POS terminal infrastructure will be required under the RTS, consequently, it must be recognized that – contrary to credit transfer - a long-lasting, decentralized upgrading process usually requires on-site upgrading activities, including possible exchange of terminal infrastructure which can usually take many years. The IK is of the opinion that the world-wide recognized EMV chip standard fully complies with SCA requirements as defined in the PSD-II. If, however, compared to the existing EMV chip standard, additional technological security requirements within the POS terminal infrastructure will be imposed by EBA under the RTS, such additional technical requirements within a POS transaction environment, consequently, can impossibly be implemented within a short 18 month period. This very essential difference between POS payment transactions and online credit transfer transactions should therefore diligently be considered.
bb) Electronic Payments at the POS
The IK welcomes clarifications provided by EBA, such as laid down in sect. 17 of EBA’s reasonings on the draft RTS with respect to payment instruments being in or out of scope of SCA requirements according to art. 97 para. 1 (b) PSD-II.
In this respect, the IK welcomes any further clarification by EBA, potentially in the upcoming recitals of the RTS, that also payments initiated at the POS with the payer’s signature on electronic signature pads should be clearly viewed as being out of scope of SCA-regulated electronic payment transactions according to art. 97 para. 1 PSD-II. The consent of the payer in this case is clearly expressed by use of a pencil in handwriting and should therefore not be treated as an electronic payment transaction.
cc) Art. 74 para. 2 PSD-II
EBA emphasized its understanding that art. 74 para. 2 PSD-II should only be understood as a transitional clause until the application date of the RTS.
The IK disagrees with this understanding and does not recognize any element in the PSD-II and its historical legislative development which limits the applicability of art. 74 para. 2 PSD-II to a transitional period only.
b) Art. 1 RTS and electronic credit transfers
The IK does not agree with EBA’s draft in art. 1 with respect to authentication procedures and authentication codes as being applicable for all electronic payment transactions “in accordance with art. 97 (1) PSD-II”.
aa) Authentication code?
First of all, the meaning of the “authentication code” – even in the light of art. 1 para. 2 RTS – has been left unclear in the draft RTS. Particularly, a clarification is required, whether an “authentication code”
• is meant to be a “one-time password”, transmitted in the course of an electronic payment transaction to a payer in order to authenticate a legitimate use of a possession instrument, like a mobile device, or
• whether the “authentication code” is meant to be the complete “internal” data set consisting of all transaction data and security credentials used for authentication of the transaction and as transmitted from the payee to his payment service provider, the acquirer in case of a card-based payment.
Particularly EBA’s presentation held at the public hearing in London, slide 15, lead to some confusion, since the terms “authentication code” and “one-time password (“OTP”) are mentioned alternatively, which reads like being two separate items.
bb) Art. 1 RTS drafted for electronic credit transfers
If EBA understands the “authentication code” as a one-time password being transmitted to the payer in order to further provide evidence of a legitimate use of a possession instrument, like a mobile device, it must be consequenty acknowledged that the entire art. 1 RTS and the described authentication procedure only make sense for online credit transfer transactions.
cc) Undisputed high security level of EMV-chip standard
According to EBA’s hearing statements, the world-wide deployed EMV chip-based card payment standard is recognized as a highly secure standard which fulfills SCA requirements. Within the EMV standard, however, no authentication code at all is applied, but – as a model standard for an SCA example – a pair of elements consisting of knowledge of the personal identification number and the possession of the payment card with an EMV chip, is applied at a POS terminal.
All further requirements of the authentication procedure, as laid down in art. 1, do not at all fit to the standard EMV chip-based payment process in a POS environment. This does not only hold true for the non-existing use of authentication codes (art. 1 (2) RTS) within the EMV-standard, but also with respect to the further requirements, as laid down in art. 1 para. 3 RTS.
EBA should consequently feel encouraged to clarify within a separate article of the RTS that the existing EMV standard, as it has been widely implemented all over the EU, is a specific authentication procedure, completely complying with SCA requirements, as laid down in art. 4 no. 30 PSD-II.
dd) Authentication codes for remote possession authentication
The “authentication code” within the meaning of a one-time password only makes sense in cases where the SCA element of “possession” cannot easily be identified in remote payment transactions and where the transmission of a one-time password to the payer serves as a means to provide evidence that the payer does not only dispose of the element “knowledge” while applying his PIN, but is also in possession of a device which supports the authentication of a payment transaction initiated by such payer. The proof of evidence of this “possession element”, however, is not at all required at a POS terminal transaction, which evidently always requires the submission of the physical payment card and the card reader communication within the POS terminal. Consequently, any references to authentication codes or one-time passwords to card-based payments would compromise the entire EMV chip-based payment set-up – contrary to statements heard at the EBA hearing.
c) Preventive Mechanisms, Art. 1 para. 3 point e) EBA’s Draft
aa) General remarks
In general terms, the IK does not agree with the establishment of additionally required mechanisms for a strong customer authentication in addition to the definition of the strong customer authentication procedure, as defined in art. 4 no. 30 PSD-II. The requirement of preventive, detective and blocking mechanisms required prior to the PSP’s final authorization are not required under art. 4 no. 30 PSD-II, but should only be used as alternative and example criteria for the exemptions from the SCA requirement based on a risk analysis, as stipulated in art. 98 para 3 (a) PSD_II and further outlined below, sect. 2a.. Furthermore, those requirements inhibit POS-offline transactions (see bb) and include required elements, which cannot be identified in the course of an authorization process (see cc):
bb) Discrimination of offline transactions
The draft art. 1 RTS in its entirety, particularly the additional requirements for preventative mechanisms according to art. 1 para. 3 point e) RTS would in fact lead to a prohibition of “offline transactions” initiated at a POS terminal through card-based payment transactions. Offline transactions are processed in many EU countries, where either the PIN authentication of the cardholder occurs offline at the POS terminal infrastructure – with an amount-related online authorization – or also occurs as a complete offline transaction, where all authentication and authorization mechanisms occur at the POS, particularly for low value card payment transactions. In consideration of the requirements, as set up by art. 1 para. 3 RTS, any offline transactions at POS terminals would be prohibited, which would in fact cause a dramatic breakdown of card-based POS payments in many EU countries.
As already stated, the entire art. 1 RTS does not at all fit to the notion of a POS terminal payment transaction through payment cards and particularly compromises the existing EMV card payment standard. As furthermore outlined above, any required change to existing POS terminal security standards will not at all be implementable within a two year period, due to the required decentralized upgrading or substitution activities required.
The IK therefore strongly urges EBA to clarify with a separate article, specifically dedicated for POS card-based payments that the existing EMV chip card-based payment standard is – in abstract legal appropriate language – in compliance with SCA requirements.
cc) Information about the customer device used
The further requirement to also take “information about the customer device used” into account (art. 1 para. 3 point e) iv) EBA’s Draft) is a data set which is from a technological perspective not identifiable for an APSP or a credit card issuer. In online transactions, it is not identifiable for PSPs, whether an online session occurs through a mobile device, a tablet or a standard PC device. Consequently, the requirement to identify and assess the device used will make strong customer authentication procedures technologically impossible.
Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
a) EBA’s reasonings on strict application of SCAEBA suggests in its draft RTS to understand the application of SCA under art. 97, 98 PSD-II as a strict mandatory principle, with only rare cases of exemptions as defined by an exhaustive list of exemptions.
The IK has a differing understanding of art. 97, 98 PSD-II and does not see considerations related to individual risk management tools applied by PSPs, to the objective to ensure user-friendly payment methods and to promote innovative means as appropriately balanced against the objective to increase security standards for electronic payments. According to the IK’s understanding the security level is one out of different objectives, but not strictly defined as the predominant principle under art. 98 para. 2 PSD-II. Particularly, art. 98 para. 2 (a) calls for definitions of effective and risk-based requirements.
Furthermore art. 98 para. 3 point a) PSD-II states that the exemptions from the SCA application shall be based especially on the level of risk involved in the service provided.
Corresponding to this risk-based approach Chapter 3.2.2/No. 39 of EBA’s Draft refers to recital 96 PDS-II stating that “the security measures should be compatible with the level of risk involved in the payment service. In order to allow the development of user-friendly and accessible means of payment for low-risk payments, such as low value contactless payments at the point of sale, whether or not they are based on mobile phone, the exemptions to the application of security requirements should be specified in regulatory technical standards (…).” The term “such as” emphasizes that contactless low value payments are merely one category of possible low risk transactions to be considered for exemptions to SCA – but not the only one.
Furthermore, the IK asks whether it is not advisable to first elaborate on new fraud experience and statistics gathered under the existing EBA security requirements for internet payments. The existing PSP practice under these EBA guidelines – as implemented in Germany by BaFin through the “MaSI” circular letter (Minimum Requirements for the security of internet payments) – will show reduced fraud and misuse rates with a broad application of SCA but also with distinct and risk-oriented alternative means of risk analysis and risk management tools. With the existing statistics being taken into account, it will be highly questionable whether a strict application of SCA must be an obligatory principle and reduction of exemptions to a limited number of cases is the right way forward in order to enhance electronic payments with all objectives in art. 98 para. 2 PSD-II being considered.
As an alternative regulatory approach EBA should also encourage supervisors to assess fraud rates based on performance of regulated institutions and as part of the audit review as stated in art. 7 RTS, which should be achieved through both the application of SCA as well as individual risk-based models and technology, applied by PSPs, but under the regulators’ scrutiny with a view to comply with established fraud rate levels.
EBA’s approach, however, to stipulate a strict obligation to apply SCA with almost no exceptions for online payments will trigger substantially increased costs for online merchants and will hamper the emergence of new online solutions and payment methods and, lastly, any e-commerce development of the European market. On the other hand, it will be highly questionable whether the objective to increase the security standard will be achieved – compared to existing security measures and risk management standards, including SCA, but not mainly limited to SCA. As outlined by participants at the EBA hearing, well-established and sophisticated risk management methods of merchants, acquirers, issuers and card payment schemes will become more or less obsolete and are judged as ineffective – without any empirical evidence.
As already mentioned in IK’s opinion on EBA’s Discussion Paper EBA/DP/2015/03 innovative solutions for online business with the use of credit cards with so-called “token” as a one-time payment authentication data might enable payments for consumers and merchants in a much easier and more secure way and should not be excluded from scratch in the ambit of strict SCA obligations. The same applies for HCE-requirements for NFC-payments and e-IDAS token specifications as contributed by the German and French IT security agencies BSI and ANSSI, which take the development of token-based solutions for authentication processes into consideration. Consequently, in terms of discussing transaction or product risk analysis as basis for low-risk transactions or processes, EBA should feel encouraged to also allow payment services providers to apply upcoming new technologies, if in the PSP’s transaction risk assessment the use of those technologies also qualifies as low-risk transactions.
The IK consequently does not agree with EBA’s Draft insofar as transaction-risk analysis performed by the PSP to exempt low-risk transactions from SCA are not proposed. While finding a difficult balance between the different interests, as stated in art. 98 para. 2 PSD-II, EBA’s draft RTS and additional EBA hearing statements show a predominant preference to only grant exemptions on a highly restrictive level, based on the assumption that this approach provides for an increased level of user security – although art. 98 para. 2 (a) PSD-II merely calls for a security level/standard that “ensure(s) an appropriate level of security for payment service users and payment service providers.
The other aspects, as emphasized in art. 98 para. 2, however, particularly
• a fair competition among all payer services providers,
• ensuring of a technology and business model neutrality and
• the development of user-friendly, accessible and innovative means of payment
do not seem to be addressed in an appropriate manner.
The current draft RTS, however, provides preference and support for certain payment models, but accepts competition disadvantages to others, particularly to card payments.
Finally, well established payment instruments with a negligible level of risk involved due to a very low transaction risk implied, will be required to apply more cost-intensive security features, without obtaining a considerable value in terms of user security, which particularly holds true for payment instruments for corporate users.
As a potential further exempting provision in art. 8, the following criteria for a risk based analysis should allow PSPs to exempt certain electronic payment transactions from the SCA requirement:
Art. 8 para. 2 (e-new): “The payee’s payment service provider for transactions initiated by or through a payee in the context of a remote card-based electronic payment transaction applies a transaction risk analysis which should be based on models which are:
(a) based at minimum on comprehensive real-time risk analysis taking into account one or more of the following criteria: (i) an adequate transaction history of the payee to evaluate typical behavioral patterns or of the payer to evaluate its typical spending behavioral patterns, (ii) information about the customer device used or where applicable (iii) a detailed risk profile of the payee,
(b) proven to be efficient for fighting against fraud and audited according to Article 7,
(c) are continuously reviewed according to fraud rates and improved in order to address new fraud scenarios and new technological threats.”
As a general consideration, EBA should therefore feel encouraged to re-consider its approach and open exemptions for PSPs also based on the application of aforementioned risk-based models, subject certainly to ongoing payment services regulation and supervision.
b) Fair competition within limited network payments
Art. 3 (k) PSD-II provides for a comprehensive exclusion of payment services from the scope of the PSD-II, if only a limited range of goods and services may be purchased through the use of a certain payment instrument or in other cases of a limited usability of the payment instrument.
Consequently, a series of payment services providers who issue qualified instruments accordingly, based on this limited network exemption, will not at all be regulated under PSD-II, including a non-applicability of SCA requirements for their limited use payment instruments.
The IK is of the opinion that regulated payment institutions under the PSD-II should still be entitled to offer limited range payment instruments on a level playing field with aforementioned competitors and should not be subjected to the requirements of SCA for those payment instruments with limited use - only due to their regulatory status as payment institution. As EBA’s representatives correctly stated on the occasion of the EBA hearing in London, the SCA regulation clearly follows a functional approach and does not consider any institutional status of the payment services provider. Hence, also payment services which would not qualify as regulated services according to art. 3 (k) PSD-II, even if occasionally provided by regulated payment institutions, should be out of scope of SCA requirements in order not to distort competition.
c) Point of sale transactions, art. 97 (1) PSD-II
Recital 95 PSD-II certainly mentions contactless payments as one example (“such as”) of a transaction type, which is presumed to be provided on a lower risk base. Recital 95, however, does not provide for a conclusive list of cases, but for illustrative examples.
The IK does not agree with EBA’s proposal to treat contactless POS payments differently compared to standard, contact-based card terminal payments at the point of sale. Here, awareness must be particularly given to circumstances of POS situations with a massive traffic of payment services users in order to pay quickly and conveniently, particularly as a very prominent example payment booths at highway toll stations, which certainly require a high level of speed for electronic payment transactions in order to avoid inacceptable traffic situations on highways. It is certainly fair to promote contactless payments at the point of sale as an innovative payment means. This, however, should not be done with an avoidable and cost-intensive disadvantage of existing and well established payment methods at the point of sale without requirement of a strong customer authentication. Since security aspects may be equally assessed in both methods (contactless and contact-based terminal payments), no reason for a distinction is evident to exclude contact-based payments at the point of sale from the exemption clause in art. 8 (1) (b) RTS.
d) Exemption of corporate payment instruments – art. 61 PSD-II
The IK does not agree with EBA’s approach to exclude any further type of low-risk payment transaction from the catalogue of exemptions in art. 8, although clear evidence may be provided for certain low-risk transactions. This particularly applies for the example of payment instruments exclusively issued to large corporates, in order to facilitate international travel management, use of purchase cards and other means of institutional procurement requirements.
With respect to corporate payment users, the guiding distinction in art. 61 PSD-II must also be taken into account. While a certain interaction between the SCA requirements and the applicability of art. 74 PSD-II is evident, particularly also with respect to a limited amount of € 50 for chargeable risk to payment services users (if consumers), the PSD-II decision in art. 61 para. 2 must also be considered, which states that in payment services relationships with commercial clients the entire art. 74 PSD-II – consequently, including the risk amount limitation – may be abrogated. This clause would be undermined, if a conclusive list of exemptions in art. 8 excluded the consideration of low-risk transactions with corporate entities. As the legislator accepts payment services providers to negotiate specifically designed payment services conditions with commercial entities, it should also be accepted to understand a lower level of risks associated with payment transactions included within commercial use.
This particularly applies to corporate card payments with the following additional remarks:
For commercial businesses it is customary to make use of so-called “virtual cards” in its in-house travel management for its employees. Centralized booking of a large volume of travel services, such as flight, hotel, car rental bookings for business travelling of employees applies card payments in order to quickly arrange for guaranteed booking of a massive number of transactions. This is not possible through wire transfer, since the reservation in fact requires immediate payment certainty of the airline, car rental company etc.
Cards applied for those services are usually not issued physically, because they are not used at an POS, but “virtually” by issuing card numbers to corporate companies. The underlying payment transaction, however, is still a card payment transaction.
Those card payments by corporate users are secure and highly-efficient in corporate travel management. They have not even been covered by ECB’s scrutiny of card fraud in its recent ECB card fraud report 2015, since risk of fraud is materially lower compared to other payment instruments. The reason for reduced risk in this area is based on a series of facts. Those cards are additionally secured by IT-platforms and encoded access tools for the travel department managers, they have – instead of consumer cards – a limited time of usability and may only be used for limited travel purposes.
EBA’s requirements to subject even those card instruments to a broad application of SCA requirements would materially slow down and decrease efficiency in corporate travel management, with increased costs involved, but without gaining a different level of security.
Consequently, also in consideration of art. 61 para. 2 PSD-II, EBA should feel encouraged to also grant exemptions for issuers of corporate card payment instruments to commercial customers, if risk-based analysis of issuers show a materially decreased level of risk of fraud.
e) Limited networks exemption
If – contrary to IK’s position above, a) – EBA understands PSD-II in a manner that payment instruments with a very limited scope of use within the meaning of art. 3 (k) PSD-II shall not be subject to SCA requirements for unregulated PSPs, but shall in general be in-scope of SCA requirements for regulated payment institutions, EBA should feel encouraged to provide for an explicit exemption of those payment instruments from the application of SCA in order not to distort competition between regulated and unregulated PSPs. With this approach, EBA would consequently follow a path of a “functional approach” requiring “same rules for same services”.
f) No discrimination of card payments against credit transfer
EBA’s approach in art. 8 para. 2 (a) and (b) to exempt electronic credit transfers from SCA requirements in case of “white listings” of trusted beneficiaries (a) or in cases of a series of credit transfers with the same amount and the same payee is certainly an appropriate continuation of the regulatory practice as outlined by EBA’s guidelines on the security of internet payments as of 14.12.2014 and as indicated in EBA’s Discussion Paper EBA/DP/2015/03 on future Draft RTS on strong customer authentication and secure communication.
The same reduced level of risk, however, as for aforementioned credit transfer transactions also applies for credit card payments, where credit card users with frequent interactions to well-known and trusted merchants will have an interest of easy and user-friendly credit card payments to white listed trusted merchants like it is the case in credit transfers. This is apparently the case where credit card users subscribe to certain regular and ongoing services of newspapers, music or video download/streaming at dedicated online plattforms which are frequently visited by users. Consequently, the same use cases as exempted for credit transfers do also play an important and competitive role for online card payments.
No evidence is given why card payments should be discriminated in the same use cases with a comparable or even reduced level of risk compared to credit transfers. Consequently, EBA should feel encouraged to also include card payments in the explicit exemptions of art. 8 para. 2 (a) and (b).
g) Low value transactions
The exemption in art. 8 para. 2 (d) for remote electronic transactions with an individual spending limit of 10 € again does not strike an appropriate balance between security objectives on the one hand and the interests of user-friendly payment tools and the promotion of innovative means of payments.
A broad series of innovative online services will be put at risk with their business models, if even low value transactions above 10 € comprehensively require SCA application which will materially increase costs for merchants with an increased risk of transaction abandonments by online users even for low risk transactions.
The IK prefers to encourage EBA and the competent local regulators to first elaborate on new fraud experience and statistics gathered under the existing EBA security requirements for internet payments. This will show that even in low value cases of up to € 50 no regulatory need will be evident to completely subject all remote payment transactions over a € 10 threshold to SCA requirements. Existing risk management analysis and mitigating processes applied by both issuers and acquirers do already provide for an appropriate security level while at the same time enabling innovative online businesses to develop at a low cost level – but still with reduced security risk for card users with user-friendly usability.
Consequently, the IK does not agree with the extremely low threshold of € 10 per transaction in art. 8 para. 2 (d) and suggests to apply € 50. Furthermore, regulators should first analyse current security and fraud results under already existing regulatory security requirement schemes in order to obtain sufficient empirical evidence that a further lowering is really seen as an ultima-ratio measure."
Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?
a) Outsourced authentication servicesIn line with the outsourcing provisions, as stipulated in art. 19 para. 6 PSD-II, it is of predominant importance for the payment services market to maintain the possibility to delegate certain operational functions to outsourcing service providers, including, but not limited to the outsourcing of authentication services (to e.g. mobile network operators or external data processing centers), as indicated in art. 12 RTS.
In order to clarify that the performance of delegated functions to third parties is also recognized as “environments under the payment service provider’s responsibility”, the IK suggests to further include the following language in the last sentence of art. 12 sent. 3 (a):
“The environments under the payment service provider’s responsibility include but are not limited to the payment services provider’s premises, the internet environment provided by the payment services provider or in other similar secure websites, authentication functions delegated to a service provider, automated teller machine (ATM) services;”
b) Delivery of personalized security credentials through outsourced service providers
In practice, authentication software delivered to the payment services user is in most cases delivered through outsourcing service providers of the payer’s payment service provider, who act under those PSP’s responsibility and in line with delegated function regulation pursuant to art. 19 para. 6 PSD-II. Consequently, art. 13 sent. 3 (b) RTS should preferably include the following clarifying language:
“(b) mechanisms ensuring that the authentication software delivered to the payment services user via the internet has been digitally signed by the payment services provider or by delegated service providers acting under the responsibility of the payment services provider”;