European Association of Payment Service Providers for Merchants, EPSM
The EPSM appreciates to be given the opportunity to provide comments and recognises the work already undertaken from the European Banking Authority (EBA). Given the complementary membership of the European Association of Payment Service Providers for Merchants it becomes obvious that the topics tabled from EBA can be viewed from different perspectives.
During the preparation of the feedback reply, the statements of the participants were in some respects quite heterogeneous – very much dependent on the services the respective companies provide. Consequently, EPSM suggests for the development process of the Regulatory Technical Standards (RTS) to assess the reasonability of each security measure for every category of services provided according to Article 4 of PSD2.
Consequently, it should be recognised that the payment service providers involved and addressed by the RTS have different roles and capabilities to fulfil the envisaged requirements. An account servicing payment service provider (ASPSP) for example fully controls the online banking account and has a contract directly with the payment service user (PSU). As such an ASPSP may use various methods to follow the requirements of strong customer authentication when a direct debit transaction is initiated. On the other hand, a Payment Initiation Service (PIS) provider must be able to rely on the methods provided by the ASPSP.
Thirdly, in case a remote payment is initiated with a credit card, all involved payment service providers (PSP) typically only utilize technologies offered by the card schemes. Therefore, it needs to be recognised in the development process that the card schemes are presently not directly addressed by PSD2 and the envisaged RTS. Possibly, a close dialogue between EBA and the card schemes during the process can help to minimise market disruption.
EPSM very much supports the list provided in PSD2 and further defined from EBA.
Nevertheless, in regard to Article 97 (1) b) of PSD2 and the considerations from EBA (i. on page 12 of the Discussion Paper) it should be noted that the market has developed a long set of different scenarios and solutions for the payment initiation and authentication. The considerations provided from EBA are a good first step to understand which exceptions will be allowed. Unfortunately, there remains uncertainty which payment initiation scenarios are exactly covered.
From the text provided, one could understand that paper-signature based direct debit transactions and paper-signature based debit- or credit card transactions are excluded. But in regard to signature based transactions, it is believed that it should not make a difference if a signature is provided on a piece of paper or on a signature pad. Acquirers and merchants have invested significantly in signature-pads. Consequently, it should be clarified that a signature provided on a piece of paper or on a signature-pad will be treated equally.
These considerations show the risk to unintentionally block innovative solutions with the regulation. To minimise these risks and to ensure that consumers coming from abroad, potentially not having devices capable to comply with the requirements of PSD2, EPSM stipulates EPA to consult closely with the involved market players like the major card schemes.
In regard to iii. (page 12 of the Discussion Paper), EPSM would like to draw the attention to an additional fraud scenario acquirers experience, the so-called ‘merchant identity fraud’. In this scenario, a fraudster takes over a legitimate business but has no intention to deliver the goods or provide the services purchased from the consumers who have entered the respective authorisation data on the payment platform of the fraudster. At the time the acquirers intend to recover the funds, they have to find out that fraudster is gone and they are liable for the loss and the respective fees.
Regrettably, this kind of fraud is difficult to tackle with the RTS developed at present. Nevertheless, it should be kept in mind that with even the most sophisticated mechanisms, fraud can hardly be stopped completely.
The RTS should not be too prescriptive. Future innovations for strong customer authentication should not be hindered by inflexible RTS.
Again, the RTS should not be too prescriptive. Future innovations for strong customer authentication should not be hindered by inflexible RTS.
As far as mobile devices are concerned, EPSM believes that mobile devices are principally capable of providing independent authentication elements. The following characteristics of a mobile phone could be used: Unlock mobile by PIN or fingerprint, unique number of hardware, combination of hardware/software, SMS, entering PIN or password when initiating a payment.
Irrespectively of the channel an ASPSP offers and which strong customer authentication methods an ASPSP accepts, the very same channels and methods shall be open if a PSU initiates a transaction via the services of a PIS. Therefore, it should be clarified that ASPSP shall provide a level playing field to PIS and may not block communication channels or authentication methods for PIS when these channels and methods are accepted in case the PSU would be allowed using them.
EPSM agrees with EBA (see paragraph 35 of the discussion paper) that the dynamic linking is only feasible for a very limited number of scenarios.
As far as mobile devices are concerned, EPSM believes that mobile devices are principally capable of providing independent authentication elements. The following characteristics of a mobile phone could be used: Unlock mobile by PIN or fingerprint, unique number of hardware, combination of hardware/software, SMS, entering PIN or password when initiating a payment.
Please see joint answer to 7. - 9. below.
Please see joint answer to 7. - 9. below.
In principle, EPSM supports both, the exemptions and risk based approach. A low value transaction usually indicates a low risk transaction. On the other hand, a low value transaction in the gambling business might be treated differently. Therefore, no final view can be provided on the question which exemptions should be granted and which result from a risk assessment should be required to consider a transaction to be a low-risk transaction.
It is a significant regulatory challenge finding the right balance of consumer convenience and an acceptable low fraud rate. It seems that the market had responded well to this challenge (for example also respecting the business segment of the transaction). Therefore, the regulatory approach should not be too narrow.
When discussion this subject, the opinion was shared that an ASPSP should be liable in case the ASPSP qualifies a fraudulent transaction as a low-risk transaction and the transaction would have been blocked in case strong customer authentication had been applied. Furthermore, that transaction may not be treated differently when initiated via a PIS.
Please see joint answer to 10. – 14. below.
Please see joint answer to 10. – 14. below.
Please see joint answer to 10. – 14. below.
Please see joint answer to 10. – 14. below.
EPSM agrees that the protection of the personalised security credentials is critical. In case the security credential is electronically delivered data, it shall not be transmitted unencrypted from the ASPSP to the PSU. Open, secure and reliable standards should be used for encryption. Users should be educated on how they can validate the certificate of the ASPSP server.
There is a significant benefit of having components or devices certified or evaluated. Nevertheless, it is important not to introduce new or additional certification and evaluation methods. Global standards and innovative developments in other markets, e.g. America (USA) and Asia (Singapore) should be recognised.
Therefore, the regulation must not be too prescriptive in order to avoid costly, unnecessary adoption processes.
Please see joint answer to 15. – 18. below.
Please see joint answer to 15. – 18. below.
Please see joint answer to 15. – 18. below.
The use of common, open and secure standards is supported from EPSM. Many communication and certification standards are already available. Furthermore, it is critical, that the access for the PIS and AIS to the respective servers of the ASPSP can be established in a direct, non-discriminatory way. No additional middle-layer shall be required from ASPSP.
Of course, ASPSP shall not be prohibited to develop additional layers for certain applications or services, but the ASPSP shall not require the PIS or AIS to assess the accounts other than via a direct connection using open and existing standards, like 3-way-handshake and HTTPS.
Please see joint answer to 19. and 20. below.
EPSM supports the use of open and neutral requirements and certification standards, no matter if developed nationally, European wide or globally. Presently, it is difficult to anticipate the functionality and availability of pan European solutions in the next years.
Consequently, other solutions shall be accepted in addition to the services offered under the e-IDAS regulation.
European Association of Payment Service Providers for Merchants, EPSM