Yes, changes to any basic information in a bank related to a customer e.g. phone number, post address and e-mail address which can affect implemented security procedures and lead to impersonation and fraud are such other examples. Fraudulent re-issuing of PSC to a fraudulent address is another example.
Enrolment of PSUs into recurrent payment solutions and mobile applications with in-app payments have been experienced.
EBA should consider introducing the notion of a Token as specified by NIST Special Publication 800-63-2 Electronic Authentication Guideline which provides certain conceptual security qualities. The publication also provides practical examples of realisation of Tokens.
Tokens as a notion can be technology agnostic and facilitate description and understanding of new methods to combine authentication factors into a Token. Tokens are possessed by the User and controlled by one or more of the traditional authentication factors. By this way it will facilitate specifying and qualifying different characteristics of security solutions instead of just claiming the use of a two factor solution.
Specific realization of different kinds of Tokens is also contained in the above referenced NIST Guideline.
The Tokenization has the ability to protect, to limit use for specific ac-ceptance domains, can be unlinked for the ‘private data’ (the account no), can be seen as a ‘pseudonymisation’ of the personal data, as recommended in the EU General Data Protection Regulation approved on the 15. December 2015. (http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm) – on top of this tokens may be revoked by the PSU with the appropriate system setup.
EMVCo has made significant work in adaptation of tokenisation and proved its benefits for card payments.[ref:EMVCo Payment Tokenisation Specification Technical Framework version 1.0, March 2014]
Nets does not perceive “inherence” elements as strong customer authentication. But the notion of a token will be helpful in this context as Nets has proposed in its answer to question 2.
Nets has experience with collection and analysis of behaviour-based characteristics through deployment of so called “Behavioural Biometrics” in the Norwegian BankID solution. Experience show that though this type of authentication may show significant results for advanced, context based scenarios, the results for transaction types like simple authentication or transaction authorisation is not convincing. The significance of the confidence provided from the “Behavioural Biometrics” analysis is not satisfactory enough to replace one factor in a two-factor solution.
However inherence elements or behaviour-based characteristics data have a role to play as they are more difficult to exploit with phishing attacks, comparing to other SCA elements like “something you know” .
Currently behaviour-based characteristics analysis might not be mature enough to stand alone as SCA in all situations in relation to
Article 97(1) A. But could very much be used in low risk, low value Card payment transaction Article 97(1) B, and be an future important factor in inherence elements.
The first challenge is to detect occurrence of a single execution platform which may compromise independence of authentication ele-ments.
It is very hard to achieve independence of the authentication elements whenever it comes to a compromised mobile platform. Nets will not recommend EBA to make security requirements which specifies “independency of the authentication elements” which we find not to be achievable on a single execution environment. A better approach is to include the notion of a Token as proposed above and specify different assurance level according the strength of this Token.
Nets will recommend EBA to define the different threats which the system should protect against and establish an Assurance Level Matrix based on the same concept as NIST or eIDAS [STORK D2.3 Quality Authenticator Scheme. In this case a single device situation is reflected as a lower assurance level.
Nets has no comments
To be able to fulfil both independence and dynamic linking two different channels and processing devices must be in use. Despite Nets sceptic view on independence on independence for mobile devices, Nets has a satisfactory solution. In the Norwegian market Nets has deployed BankID on SIM, where the transaction authentication and signing is done in the SIM-card of a mobile device using SIM-toolkit application and end users private key protected in SIM. The client for authentication and signing is deployed in the SIM and triggered by an STK-message from the mobile operator. The client is capable of displaying the context of the transaction, ie amount, merchant or account number. On the other side the initial trigger of the transaction can be made from the mobile device’s browser displaying the payment context, thus enabling both parties to verify the authenticity and the integrity of the transaction. Both the merchant and the mobile operator are connected via a common infrastructure.
The clarifications are useful as a guideline, however we believe the explicit use of transaction risk analysis (42.D) requires further clarifications on who decides exemption conditions are meet and any liability switching. The transaction risk analysis is complicated by three matters: 1)a distinction between what is available for the Payer and the Payer’s PSP and what is available to the Payee and the Payee’s PSP eg the IP address of device used is available to the Payer and Payer’s PSP. 2) Secondly an understanding that information exchanged between the Payer and Payee can include elements that could be considered sensitive and covered by data protection eg Payer’s IP address during purchase. 3) Thirdly that best practice of use as in cards should be maintained by independent certification companies to ensure continual development in security practice and minimum standards similar to PCI DSS and ISO standards.
Nets has no comments.
Most important is the understanding of which information is available to Payer and Payer’s PSP as opposed to what is available to Payee and Payee’ PSP.
Deciding on mandatory minimum requirements where information from all parties are required will mean that one part can obstruct innovation and security in payments
As a complement to the criteria identified in paragraph 45 subsection b) we believe that as part of the information about the customer device used it should also include details on the SDK Application used (or similar information), to verify whether there has been updates or transfer of applications to new devices.
Today’s market and customer behavior is resulting in device replacement (and consequently transfer of applications) with a very high frequency, especially for those consumers who is most active in using new and emerging technologies.
Costumer convenience, new market opportunities combined with rapidly emerging new technologies is, together with increasing efforts to move cash into electronic payments, is also driving the market players into a very high frequency of application updates.
As both updates and transfer of applications (re-installation of known application) can be considered high risk, Nets sees it relevant to include in the risk evaluation.
Additional complement criteria to subsection a) we believe that, when available, the routing and switching information should be used as well.
The payment processor will always know who has delivered the transaction to the payment system, and in order to establish reliability it could be meaningful to have the payment processor be a part of the risk assessment, which could be in form of a risk marking, like the way that such a marking is used in the current 3D secure processing.
Yes they are clear, however distinction between high impact services vs low impact needs to be made, e.g. using a payment app that applies low value / low risk methods should be approached differently than requirements to reissue cards, open bank accounts etc. High impact use cases should not be negatively impacted by needs from low impact uses cases.
Comment on 52. i.:
Include credential renewal and - revocation/ destruction.
The clarification specified in 51. E is very important:
National eID solutions in the Nordic area are used for much more than payments
In the Nordic countries Norway and Denmark a common e-ID solution is used for both e-banking and e-Government transactions.(NemID in Denmark and BankID in Norway) It is therefore important that the RTS supporting the financial area does not impose conflicts to the eIDAS regulation supporting the e-Governmental area because the e-ID solution in the Nordic must embrace both areas to provide the efficiency gains and consumer convenience. This cross sector use of eID solutions in practice means that the same eID solutions are both used for payments and as well as e-signing of for example an application for a divorce or sign-off of a parent ship to kids, registering move of national register address, signing mortgage bonds or signing of property deeds. Consequently, the impact of any security breach related to PSC can have significant consequences for the PSU although the impact may be non-financial it may compromise privacy.
The protection of PSC for these eID solutions is crucial for the end-user’s trust in the solution in the countries using common eID solutions. Therefore, exposure of the PSC to third parties should not be allowed when the PSC is utilised for common eID solutions.
The use of the open standard OAuth 2.0 Authentication Framework can provide third parties with an alternative protocol using tokens which prevent disclosure of the end-user PSC for the eID solutions to third parties. Nets has explained about an example of alternatives as OAuth 2.0 in its answer to question 2.
This is also in alignment with the recommendations made by ECB as described in ECB: Recommendations for “payment account access” services, January 2013.
Nets has identified delayed revocation/destruction of credentials as a risk in regard to protecting PSCs.
Nets has no comments
Unfortunately Nets cannot point to alternatives to certification or third party evaluation even though Nets is opposed to using strong formal certification - and authentication schemes for the entire enrolment as this drives cost and significantly limit innovation and market adoption.
An alternative is to limit financial and data protection risks for solutions which decide to not to comply with complicated and expensive certification or evaluation.
In Nets’ opinion enrolment is one of the most critical parts of the credential life-cycle. It is here the foundation of the quality of the authentication system is created. However, it is a rare event compared to the normal operation when users initiates/authorize payments, which occur on a daily basis.
In Nets’ view, the segment between the PSU and the third party is ex-posed to most risks as the PSU – being a non-professional - often have few or no means to confirm the identity of the third party. In this segment the risk of phishing is highest and the consequence for the PSU could be financial loss but also non-financial. The trust balance is not even here. The PSU is supposed to identify himself but the third party is not required to identify himself towards the PSU. The PSU may think he is enrolling with the correct third party but it could be an impersonator.
Please refer to Nets answer to Question 10 for more information on common eID solutions and consequences of a security breach.
Comments to 63 a.: It is very difficult to define the notion “common and open” in more detail, because there are plenty of organisations in the field which claims to develop common and open standards. Either keep the notion open or EBA should recommend specific standards to be used. However, this could also lead to over regulations if EBA is going into very specific detail.
Comments to 63 b: Yes, it will be helpful to specify the quality of how the PIS/AIS identifies themselves to ASPSP., because an IP-address of the AIS/PIS is evidently neither sufficient or trustworthy.
Comments to 63c: The central part here is that the PSC of the PSU is never disclosed to the PIS/AIS. Only in the circumstances that the PIS/AIS itself act as a trusted issuer of the PSC or if PIS/AIS is issued its own PSCs.
No comments to 63d.
Comments to 63e.: A framework which has been defined by NIST 800-63-2 and ISO 29115 on Electronic Authentication and which uses different assurance levels in accordance with the perceived risk acceptance could be helpful.
No comments to 63f.
EBA may consider this approach: On security matters direct to some general security guidelines as proposed above, but on the interoperability area the standards should be developed and maintained by the industry as these interoperability standards have to be very specific - otherwise, the free and open competition will not occur.
Nets and its peers in the payments industry have engaged in making new industry standards for the purpose of AIS/PIS via the CAPS Framework Work Group. Nets see industry standards as CAPS Framework as a prerequisite to make PIS and AIS create the expected innovation in the payments market. [For more information on CAPS Framework see http://www.nets.eu/Documents/White%20Paper%20on%20CAPS%20for%20PSD2.pdf]
Nets recommends EBA to include OAuth 2.0 Authentication Framework into the RTS. The objectives of OAuth 2.0 is:
1) Instead of using the resource owner's credentials to access protected resources, the client(AIS/PIS) obtains an access token -- a string denoting a specific scope, lifetime, and other access attributes.
2) Access tokens are issued to third-party clients (AIS/PIS) by an authorization server with the approval of the resource owner.
3) The client (AIS/PIS) uses the access token to access the protected resources hosted by the resource server
EBA may have representatives involved in the respective standardisation bodies to ensure that the standards on interoperability are developed according to the market needs.
The eIDAS regulation is very general. However, there is con-cepts/frameworks developed in several EU projects like STORK where requirements to enrolment and authentication could be leveraged in the RTS to PSD2. The eIDAS regulation is expected to benefit from STORK also.
No, Nets can’t see the justification for using either a qualified electronic signature, a qualified seal or a trusted time stamping authority for the purpose of supporting PSD2 regulation. The standards developed so far to support Qualified Trust services are developed without any consideration to making a risk assessment and probably thereby too rigid to solve a real marked need.
[Issuing of payment instruments and/or acquiring of payment transactions"]"
Nets is also involved in payment initiation services and eID services as a third party