Submission #56

Primary tabs

View(active tab)

mobysign

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

In the paragraph 3.2.1 at point 19 the authentication procedure is described to be within the sphere of competence of the ASPSP except when the PISP issues its own personalised security credentials to the user, in place of the credentials issued by the ASPSP.
It is not clear why this latter possibility would require a prior contractual agreement between PIS and ASPSP and such agreement be outside of the scope of PSD2.

In fact, the presence of wallet solutions unifying more payment methods under a single user interface and authentication today is allowing consumers to simplify their user experience and electronic transactions to grow.
Wallet solutions under PSD2 seem to be provided by PISs (if not, who provides?), for which the agreements with ASPSPs would be difficult and slow to be defined one by one, with the consequence of reducing electronic payment transactions.
As an alternative solution, the PIS could ask the ASPSP for the first authentication of the user in order to manage the payment method of the ASPSP to the PIS wallet and then for the following payments involving that ASPSP, the strong authentication could be provided by the wallet solution which would be fully compliant with strong authentication requirements of the Consultation Paper; in this case one to one agreements would not be necessary.
As a note, also an eIDAS strong authentication solution (for example eIDAS substantial and/or high assurance level) where also fulfilling strong authentication requirements of the consultation paper could be a promising strong authentication usable for a PSD2 wallet without one to one and slow agreements with ASPSPs.
In the case additional liability requirements could be put in place for PISs providing wallets which unify the strong authentication of the user.

The same mechanism could also be provided to link the wallet to a credit/debit card, where the issuer of the card could provide the first authentication and then the wallet strong authentication would be used for the following payment transactions.

In addition, it is not clear whether in the article 10 the storage of the PAN of the credit/debit card is made by the acquirer or by the payee and whether the strong authentication of the issuer (or of the bank) has to used or if it is allowed that:
1. the payees stores the PAN of the card and provides the user with a strong authentication provided directly by the payee, where the strong authentication is compliant with RTS.
2. the issuer at the point above has necessarily to request the ASPSP for knowing the availability of the amount on the bank account

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

In the paragraph 3.2.1 at point 26 seems that the channel where amount and payee are displayed is different from the channel used for initiating the payment.
However, in order to prevent from man-in-the-middle and man-in-the-browser attacks, at least in the case where the transaction signing is used as strong authentication, it could be possible to display amount and payee also on the channel used to initiating the payment to allow the user matching said information present on the two different channels.
In any case we agree with the fact that the means (for example a mobile app) used by the payer to authenticate must be different from the means (ecommerce web page, merchant app …) used to view goods to buy or manage banking accounts; in particular the authentication means shouldn’t allow SDKs to be integrated client side to provide segregation.

Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant? See our reply to question Q2.

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

See our reply to the question Q1.
In addition it is not clear whether:
• card issuers have always to use ASPSPs strong authentication, even when it is not required to know the coverage of the payment amount in the user’s account.
• Usual home/mobile banking services not interconnected with PIS and AIS have to comply with the RTS

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption? See our reply to question Q1

Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS? See our replies to questions Q1 and Q2.

Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?

We do not agree with the fact that the implementation of the open standard will be different for all ASPSPs and this will cause the impossibility to realize an effective interoperability and a barrier to wallet solution which, instead, could offer the possibility to the ecommerce – mobile payment market to grow.

Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?

We agree as this is a standard and helps to get interoperability. It would be useful to define if communications have to use webservices or whatever else for interoperability.

Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?

We agree; everything which goes, where possible, towards convergence between eIDAS and PSD2 is agreed to simplify authenitcation rules.

Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency. More times would be suitable, such as 30 minutes frequency

Please select which category best describes you and/or your organisation [IT services provider "]"

Please select which category best describes the services provided by you/your organisation [Other"]"

If you selected "Other", please provide details mobile authentication services for payments, logins and dispositions.

Name of organisation mobysign