Yes. However point 3. A at Article 6 should be precised. Through consultation with banks a questions has arisen does sms meet these requirements. Our interpretation of this point is that solution providers should guarantee that the Hardware or Software is not tampered. In case of Hardware we see solution using either HSMu or TEE on mobile. For purely software based solutions we do not see a way how it can be done.
Bank interpretation is that you cannot use the same channel for the OTP (i.e. you cannot send an OTP through the push notification through the mobile app because it would be using the same execution environment, but if you send an SMS in fact you are already using a different channel or execution environment).
It should be precised if SMS is an exception. In our experience developing digital identity solutions for Government and Telecommunication company, SMS can be tampered through methods like number forwarding, special devices for SMS interception etc.
In case of TEE mentioned in the Article 6, dynamic inking information can be provided on the same app used for initiating the payment. The channels are separated and having a separate app would just make the adoption of security solutions lower.
-
Yes
No
Yes
Yes. Also should we include about modern cryptographic interfaces? Library called NaCl, which was in part funded by the European Commission, and which prevents misuse of cryptographic primitives, and is simpler/with a smaller attack surface than OpenSSL.
Yes
Yes. Qualified Electronic Signatures states that a certificate can be generated if the device gives 100% non-repudiation guarantee. All modern smartphones and tablets have the TEE, which allows to achieve that.