The Ministry of Finance of the Czech Republic (referred to as MFCR) has several concerns about the application of strong customer authentication (SCA) on payment service providers (PSPs).
The EBA states that the goal of these Regulatory Technical Standards (RTS) is to allow technical innovations and responses to future security threats not yet anticipated by these rules. Because of that RTS do not require PSPs to use specific technical standards or technologies with one exception. In Article 1(3)d it is stated that SCA procedure should protect communication sessions using HTTP over cryptographic protocol TLS. MFCR proposes changing Article 1(3)d to more technologically neutral version: ”(d) protect communication sessions against the capture of data transmitted during the authentication procedure or manipulation by unauthorised parties, by relying on cryptographic protocols such as HTTP over TLS.”
1) Firstly, article 97 PSD2 is applicable to so called one leg transactions, see article 2(4) PSD2. It implies that in case the payer initiates an electronic payment transaction, e.g. payer’s PSP is located in the EU and the payee’s PSP is located outside the EU, the obligation to use the SCA applies. However, neither the payee’s PSP nor the payee has the obligation to support SCA. It means that:
a) payer is not able to initiate the payment transaction and pay, or
b) payer’s PSP breach the requirement of article 97(1) and does not apply the SCA in these cases.
Variant b) would cause the payer’s PSP to become liable in accordance with article 74(2) PSD2. Nevertheless, the rectification referred to in article 72(2) second sentence is not applicable, since the non-EU persons (payee and its PSP) are not bound by this provision.
One leg transactions should be exempted from the application of article 97(1) in case the payee’s or the payee’s PSP’s support is needed to perform the SCA. The example is card based payment transactions. However, the SCA should be applied in case of “one leg” credit transfers, as no action of payee or payee’s PSP is needed.
Otherwise, giving the specific example, the EU consumer shopping online in the Canadian e-shop using the card number and the CVC code is not able to initiate a payment transaction and purchase goods, provided that non-EU actors does not support the EU rules for authentication.
2) Secondly, the legal evaluation of online card payments should be examined. The payment initiation based on card number, CVC code and code sent to user’s cell phone seems not to fit the conditions for SCA. Card number and CVC are visible and accessible to any person using the card. These elements are not accessible only to the payer, thus they cannot be qualified as knowledge or possession elements. Single mobile code can be qualified as possession element. The second element is missing. This should be reflected in chapter 2 of RTS on authentication and communication. It should be noted the legal risk for unauthorised payment transaction is with PSP and users are protected sufficiently under current framework. There is no need to stop this kind of payments.
3) Article 63(1) b) PSD2 states: “Articles 72 and 73, and Article 74(1) and (3), do not apply if the payment instrument is used anonymously or the payment service provider is not in a position for other reasons which are intrinsic to the payment instrument to prove that a payment transaction was authorised;” This provision enables the issuance of payment instruments with lower security standards, provided that thresholds stated in article 63 are kept. On the other hand consumer is informed about that limitation and comfort for usage is provided. These instruments use one feature authentication, e.g. possession. The obligatory usage of the SCA does not make any sense for this kind of instruments. We suggest that chapter 2 of RTS excludes the application of the SCA in relation to low value payment instruments and electronic money referred to in article 63 [at least in 63(1) b) and 63(3)].
4) So called premium services are offered by TELCOs operators and enable the payment via cell phone for tickets, parking etc. These services are partially excluded in accordance with article 3 l) and partially in article 63. However, these services should be examined more deeply in relation to the application of the SCA. The SCA could make impossible to use these services for higher values of payment (e.g. information services phone lines).
1) The exemption referred to in article 8(1)b of RTS on authentication suggests that each time the threshold of 150 EUR is reached the SCA applies. Nevertheless, the current practise is different. In the Czech Republic the limit for contactless payments set by most banks equals to 500 CZK (ca. 20 EUR) and frequently no cumulative limit is set.
It should be noted that if a client claims a payment transaction to be unauthorised, in case of contactless payments, the PSP has very limited chance to prove the opposite. In other words, under standard circumstances the PSP is liable in case of contact less payments. The risk for users is very limited. Therefore, we suggest that the threshold of 150 EUR is set on a daily basis or no cumulative limit is set at all. The measure proposed in the RTS is too burdensome.
2) According to Article 97(4) of PSD2 the SCA should be required when the information is requested through an account information service provider (AISP). MFCR is concerned with this suggestion – does it mean that the consumers have to use SCA procedure every time when accessing information about their accounts through AISP? Such provision would make account information service unattractive in comparison with accessing the information of the payment account online – for which there is an exemption in Article 8(1)a of RTS. Or is the SCA required only for the first time the access is provided by account servicing PSP to AISP?
3) According to Article 8(1)a of RTS the SCA is to be applied if the payer accesses the information of its payment account later than one month after the SCA was previously applied. The current practice in the Czech Republic is different – if clients decide to, they are able to access their payment account through one step verification (e.g. account number and password), only transactions and changes to account settings are subject to secure two step authentication. Application of RTS would change that with no apparent reason for there is no risk of fraud when this specific kind of authentication only allows clients to see their payment account information in a quick and convenient way.
MFCR is concerned with technical difficulties resulting from proposal in Article 9(1)a of RTS which states that personalized security credentials are masked when displayed. When using standardized HTML <input type=”password”>, some web browsers (e.g. Internet Explorer 10) allow users to reveal masked characters they previously entered into the form. In order to realize provisions set by RTS either service providers would have to use unstandardized technical solutions or HTML standards and their implementation would have to be altered.