While EuroCommerce agrees with the principles and understands the EBA’s reasoning, EuroCommerce does not support a blanket approach as proposed by the EBA for Strong Customer Authentication (SCA) believing that it risks reducing competition in the market, could materially impact customer convenience and restrict the development of the Digital Single Market.
EuroCommerce believes that a clearer risk based approach is needed which could be applied across all payment channels including Telesales and Direct Debits, however we agree that authentication requirements should be developed in the form of high level principles that can adapt to emerging threats and the development of innovative security solutions.
Yes, EuroCommerce agrees, however questions such as what would happen in situations where a total value has been authorised (single amount) but the order is then split into different amounts as part of the fulfilment ‘charge with despatch’ process. Authentication and authorisation need to be viewed as two separate actions.
EuroCommerce would rather support a targeted risk based approach, which is less likely to stifle growth and through innovation and experience reduce the levels of fraud. The diversity on the market is too great for a single list of elements and a centralized minimum threshold approach to risk. EuroCommerce would prefer an approach whereby industry best practices are acknowledged.
EuroCommerce is concerned that any rigid framework may not achieve the desired results, for example risks associated with low-value, high risk transactions may not be sufficiently addressed by the EBA approach.
EuroCommerce broadly supports the EBA’s reasoning, however some questions still remain, for example article 9 (c) makes reference to ‘Secret cryptographic material related to the encryption of the credentials is stored in secure and tamper-resistant devices and environments’, how should ‘secure’ and ‘tamper-resistant’ be defined? Could software solutions running in a rich Operating Standard be accepted provided they pass the necessary certification tests?
EuroCommerce fully supports the provisions of PSD II to allow non-bank third-party payment providers (TPPs), including payment initiation services (PIS), to directly access consumers' account information to initiate a payment. This has potential to transform the market, allowing innovation, promoting competition and creating conditions for the best use of new technologies. The final regulatory standards must be amended so as to guarantee the right of direct access of TPP's to consumers' accounts to initiate payments without being made dependent on the very banks with whom they often compete.
In our view, TPP’s must be allowed to continue using direct access via the customer facing online interfaces of the banks in order to initiate payments on behalf of consumers. This direct access technology is well established and is already transforming the market, allowing innovation and promoting competition.
Payment security would be ensured as TPP's choosing to issue their own credentials would have to comply with the RTS SCA-requirements themselves.