Primary tabs


Registering payment details on commercial web sites, online signing of e-mandates, enrolling on third party providers...
Data encryption keys downloaded or incorporated on devices that are used to electronically sign, digital certificate ...
Yes, although those behavior-based patterns can also be considered as basis for exemptions.
The use of a one time use passwords sent to the phone should not be used alone
Dynamic linking should also apply when a OTP is given, once the PSP takes note of the details of the operation, not necessarily linking both things on the same message.
Dynamic linking should be understood as applied to the messages being sent, so that compromise in the communication media is protected, not necessarily internally to the device.
The downloading of a private key to the app so that communication is protected by a dynamic seal" or "signature" being added to the message.
Two objectives are fulfill: the device is acknowledged and the message can not be compromised if captured out the device.
Thus, the use of such key may be regarded as no necessarily preventing the independence between two criteria."
Absolutely. The idea of low payments and some others like customer track record could also be dependent on the customer profile at the discretion of the PSP.
Certain legacy practices (offline payments with cards, non 3D Secure...)
The enrolment process should also lean of strong authentication, even if it is to substitute it for other method.
In any case, the PSP issuing the credentials should be responsible for proper care
Intervention of third party providers.
Third party providers should be prevented to use any component they may have control on (e.g. NFC antenna or biometric in a smartphone by a smartphone supplier) to be exclusively retained for their use, preventing diversity of app or solutions to be offered to same client, and getting that way strong position before PSPs to become PIS
If Third Party Providers (specially when supply smartphone operating system or hardware, email software, etc.) want to be eligible, they should be prevented from retaining other key components at their exclusive use, forcing and driving the behavior of customers and other PSPs
Web services accesses, and specially digital certificates of the Third Party Providers as issued by the authority (ECB or EBA) so as to be properly acknowledged by PSPs
Yes to some extend, both to be used by customers and to be used by Third Party Providers to become identifiable in a trusty way.
[Credit institution"]"
[Execution of payment transactions"]"