We propose to subdivide this Chapter following the structure of the Art. 97(1) of PSD2.
We suggest to define requirements for the strong customer authentication separately, it means requirements in the situation when the payer: 1a) accesses his electronic account online, 1b) initiates an electronic payment transaction, or 1c) carries out any action through a remote channel, which may imply a risk of payment fraud or other abuses
We suggest to modify the Art. 1(1) in case of the term “authentication code”. This term shall be understood as one of elements (categorised as knowledge, possession and inherence) which is used by the payer in the authentication process.
We are of the opinion that the result of the authentication procedure is not a creation of authentication code as stated in Art. 1(1). “Authentication code” shall be in line with the definition of the strong customer authentication under PSD2.
We propose to use in this Chapter the terms such as PIN code, password, one time generated token in the context of the dynamic linking, biometry data, etc. We are neutral to the detail of definition of the requirements on elements such as PIN code or password (for example, if the password shall contain only alphanumerical non repeatable characters, etc.).
For the sake of clarity, it shall be clearly stated in what kind of cases the payer uses the elements (categorised as knowledge, possession and inherence).
For the purpose of clarity, we propose to subdivide the Chapter 2 into 5 subcategories in line with the structure of the Art.97 of PSD2.
a) Exemptions when the payer accesses his payment account online:
- for example “mobile application” with mobile PIN as single authentication,
b) Exemptions when the payer initiates the electronic payment transaction:
- for example “chip and PIN” payment card transactions (PIN transactions at the EFTPOS and/or ATM) or contactless card based transactions, in both categories up to the certain limit,
c) Exemptions when the payer carries out any action through a remote channel which may imply a risk of payment fraud or other abuses:
- for example “change of the PIN code” by the cardholder via ATM,
d) Exemptions in case of dynamic linking procedure:
- for example remote payment transactions (e-commerce/online payment transactions) up the certain limit,
e) Exemptions on security measures
- specific payment transactions (e.g. Art. 63 (1)(b) of PSD2) or limited network/specific payment instruments, if payment service provider is involved.
The current structure of this Chapter is unclear and might lead to vague conclusions.
In case of remote electronic payment transactions, it is not clear what transactions are in the scope and out of scope (for example internet payments, POS payments, remote telephonic payments, etc.). Exemptions from remote electronic payment transactions should be stipulated in case of dynamic linking procedure.
It should be clearly stated if exemptions from strong customer authentication are applied in cases:
- when e.g. payer logs into the Internet banking domain (based on strong customer authentication) and right after it initiates a payment or it changes a password of the product statement (exemption from strong customer authentication),
- in case of “chip and PIN” payment card transactions or payment transactions with payment card with signature and
- “other activities through a remote access” , for example the payer changes PIN code to his payment card on an ATM or makes changes using Internet Banking or mobile application ( a change of passwords to the application or change of password to the product statement).
We propose that the Chapter 2 defines only exemptions with regards to the Comment1. This means that the requirements for the strong customer authentication should be moved into the Chapter 1 (for example Art.8(1)(a)(i) and (ii) should be moved to Chapter 1).
It should be clearly stated that the Chapter 2 defines only exemptions.
The proposal of the RTS should follow the rule that it should stipulate only technical requirements", not obligations of any person involved. Therefore we suggest re-evaluation of certain wording us (e.g. to replace word “shall” by the word “may”).
PSD2 stipulates rights and obligations of payment service providers and payment service users. The mandate of EBA to develop regulatory technical standards as stated in Art. 98 of PSD2 is linked to the “requirements”, not to the “obligations of any party” (RTS should stipulate only technical standards/requirements)."