Association of Consumer Credit Information Suppliers (ACCIS)
ACCIS supports the EBA's reasoning on the need to strengthen customer authentication and sees the proposed Regulatory Technical Standards (RTS) as an important step forward to enhance the security of payment services. However, certain categories in Chapter 1 of the RTS should be further clarified and better defined. In particular, clearer definitions of what constitutes biometric sensor and template protection systems", "sensitive payment data" and "spending behavioural patterns" should be provided. ACCIS strongly believes that given the sensitivity of such data it is important to ensure that such data are used to the minimum extent necessary for the provision of payment services and are not used for any other purposes than payment services.
In addition, a wider number of customer authentication techniques, than provided in Chapter 1 of the RTS should be encouraged, as with the fast pace of technological development, relying on a limited number of authentication techniques set in the regulation will not be robust. ACCIS notes that there is an assumption that the authentication mechanisms used by payment service providers will typically be the minimum to comply; this unfortunately means that, should a compromise of one or more credentials happen, there is no simple way to re-authenticate the payment service user using other means. ACCIS suggests that the RTS be enhanced to strongly recommend that more than the minimum number of authentication methods be issued or enrolled so that it is possible to more strongly authenticate a customer if compromise is suspected. This will also mean that it will be possible for payment service users to be authenticated when one or more methods is unavailable, for example using a mobile app technique in the absence of a data connection or a video method in low light conditions."
As mentioned in our response to Q1 of the consultation, ACCIS strongly believes that using a wider number of authentication techniques, than provided in Chapter 1 of the RTS should be encouraged. With a limited number of authentication techniques there is a risk that with some of a payment service users credentials being compromised it will be difficult for payment service providers to re-authenticate the payment service user.
ACCIS is supportive of using standards such as the ISO20022 data dictionary for specifying fields transferred via APIs. This standardisation is essential to ensure that payments data is treated in the same manner from end to end, supporting the PSD and PSD2 goals of data integrity and efficiency. ACCIS notes that it is forecast that line of business applications will start to standardise on ISO20022 for their storage of data, in support of the use of such data for payment initiation in XML messages. By using ISO20022, which is already used for over 35 billion SEPA payments per annum and for which cards and immediate payments messages are being developed, this ensures the data is held at rest in the same format as when it is communicated between payment service providers and to third party providers. Nevertheless, ACCIS recommends that the data definitions in ISO200022 are those used in defining the APIs for PISPs and AISPs. This will:
1) avoid excessive costs for payment stakeholders, and
2) be agnostic as to what technology is used to implement the AISP/PISP access.