Submission #136

Primary tabs

View(active tab)

EuroCommerce

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

While EuroCommerce agrees with the principles and understands the EBA’s reasoning, EuroCommerce does not support a blanket approach as proposed by the EBA for Strong Customer Authentication (SCA) believing that it risks reducing competition in the market, could materially impact customer convenience and restrict the development of the Digital Single Market.
EuroCommerce believes that a clearer risk based approach is needed which could be applied across all payment channels including Telesales and Direct Debits, however we agree that authentication requirements should be developed in the form of high level principles that can adapt to emerging threats and the development of innovative security solutions.

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

Yes, EuroCommerce agrees, however questions such as what would happen in situations where a total value has been authorised (single amount) but the order is then split into different amounts as part of the fulfilment ‘charge with despatch’ process. Authentication and authorisation need to be viewed as two separate actions.

Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant? No comment

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

EuroCommerce would rather support a targeted risk based approach, which is less likely to stifle growth and through innovation and experience reduce the levels of fraud. The diversity on the market is too great for a single list of elements and a centralized minimum threshold approach to risk. EuroCommerce would prefer an approach whereby industry best practices are acknowledged.

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

EuroCommerce is concerned that any rigid framework may not achieve the desired results, for example risks associated with low-value, high risk transactions may not be sufficiently addressed by the EBA approach.

Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?

EuroCommerce broadly supports the EBA’s reasoning, however some questions still remain, for example article 9 (c) makes reference to ‘Secret cryptographic material related to the encryption of the credentials is stored in secure and tamper-resistant devices and environments’, how should ‘secure’ and ‘tamper-resistant’ be defined? Could software solutions running in a rich Operating Standard be accepted provided they pass the necessary certification tests?

Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?

EuroCommerce fully supports the provisions of PSD II to allow non-bank third-party payment providers (TPPs), including payment initiation services (PIS), to directly access consumers' account information to initiate a payment. This has potential to transform the market, allowing innovation, promoting competition and creating conditions for the best use of new technologies. The final regulatory standards must be amended so as to guarantee the right of direct access of TPP's to consumers' accounts to initiate payments without being made dependent on the very banks with whom they often compete.
In our view, TPP’s must be allowed to continue using direct access via the customer facing online interfaces of the banks in order to initiate payments on behalf of consumers. This direct access technology is well established and is already transforming the market, allowing innovation and promoting competition.

Payment security would be ensured as TPP's choosing to issue their own credentials would have to comply with the RTS SCA-requirements themselves.

Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards? No comment

Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ? No comment

Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency. No comment

Please select which category best describes you and/or your organisation [Other "]"

If you selected "Other", please provide details Retail Trade Association

Please select which category best describes the services provided by you/your organisation [Other"]"

If you selected "Other", please provide details Retail Trade Association

Name of organisation EuroCommerce