Bundesverband der electronic cash Netzbetreiber (BecN) e.V.
Payment fraud can occur also with fraudulent merchants. For acquirers merchant service providers, professional merchant fraud among smaller merchants can be very difficult to detect fast.
One may also consider biometrical theft. You can easily replace a stolen card or a password but you cannot change or replace your fingerprints.
A card – but also card data in a secured element of a smart phone, or a token in a secured environment .Especially for the POS-environment we recommend the use of the established EMV-Chip & PIN of the (debit) payment-cards. This given facility on every (debit-)payment-card in the EU should be opened up for use not only in the card-system to authorize the card-payment-trx. This access should be granted to be used in the context of SCA (at the POS), also.
Another aspect could be: Is it enough to fulfill strong authentication on basis of signature combined with biometrical elements like pressure and speed. Signature = knowledge of signature + handwriting + biometrical reference (pressure and speed)
Is the physical mobile device and a fingerprint ID on this device independent? – this should be clarified considering also regulatory trends in the Americas (e.g. USA) and Asia (e.g. Singapore).
Who defines what “low risk” is? – The acceptable risk appetite can vary strongly between merchant codes, products, delivery addresses, transaction frequencies, transaction amounts, and among payers from different countries (e.g. Italy vs. Finland).
Art 74 (2) PSD II is sufficient in describing exemptions since it allows companies to independently offer a multitude of different services “based on own risk consideration”. This is a core issue in regard to competition and innovation.
Any list of exclusions would be a minus to market development and innovation. If there is a need to introduce a list, then this list shall not be final - only explanatory.
Also consider to provide the possibility of risk settings on the customer side. The customer might want to carry a little more manageable risk in benefit to usability. I.e. settings enabling NFC-payments up to 100 € without PIN.
Customer choice and risk management is also applied in xs2a which enables the customer to take decisions towards usability by giving access to his account information.
EBA should consult also the EU competition authorities and major market participants on the market effects of any specific exception.
If a list of exceptions is included, then it should leave enough room for yet unforeseen developments.
In a typical multiparty card system, who shall do the transaction analysis – only the issuer, any service provider in between, only the acquirer – or all entities individually?
In general, there should be the principle: The entity that does the analysis should decide also on the risk measures and should also bear the financial consequences of the risk decision.
Proper transaction analysis and risk-management should enable the PSP to offer payment initiation also without strong authentication and without a liability shift. This kind of risk-management is widely used in card payments based on the customer behavior and other backend tools.
In many modern technical payment architectures, the weakest segment seems to be the payment service user, which means that the consumer might give away intentionally or unintentionally any PINs, Tans or passwords to the wrong recipients (social engineering, man in the middle attaks & more).
It should be further clarified, if and how these open standards shall apply also in the card business.
In the EU we already have on each (debit-) payment-card the EMV-Chip & PIN technology available – already rated as SCA-compliant. In order to enable direct access to the card-underlying account or PSC, it should be considered to additionally store the account-number (IBAN) in each of these (debit)-payment-cards (in the card-chip-memory-store), as the IBAN is the well-established SEPA-wide unique account-ident-number. This should be decided to be obligatory for each Issuer of a (debit-) payment-card in the EU.
If card-issuers would also be obliged to open up the use of CHIP&PIN (together with an open read-out of the IBAN) at a minimum to PSPs like PIS / AIS providers, then these PSPs would be able to address the account of the card-holder fully secured by the cardholder and the CHIP & PIN-technology and enables the market to develop new payment-products in the sense of the PSD2.
If for any reason storing the IBAN in a payment-card is not feasible, it should be taken under consideration to set the proper conditions to make sure that xs2a is also available through EMV Chip & PIN in the conception of DCSI by making it possible to directly address the account from the data already stored in the EMV Chip – so that the IBAN can be collected at the account.
In the past 20 years, many e-ID services and e-ID projects to consumers in Europe were a commercial flop. Somme banking e-ID-services especially in Scandinavia were considered to be successful. A better worldwide analysis on the success factors should be performed, before any regulatory action should be considered.
Banks already ident their customers. With the corresponding banking-card the customer has a very secure authentication tool. The EMV-Chip & PIN standard provides strong authentication via knowledge (PIN) + possession (the card/chip) Within DCSI CHIP & PIN in addition to xs2a could provide the interface and API for e-ID services.