Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Go back

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

To stimulate the success of the European e-commerce industry, it is crucial to ensure a safe, efficient and well-functioning payment landscape. We therefore strongly support the efforts to further develop an integrated internal market for safe electronic payments, through the implementation of the PSD II.
Ecommerce Europe fully recognizes the need for customer protections in online payments, but calls on the EBA to take into account measures for a balanced approach to authentication. As outlined under Chapter 1 of the draft RTS, the proposed rules could have a damaging impact on the future competitiveness of the European e-commerce sector. A blanket imposition of strong customer authentication on online payments is too restrictive and burdensome on both online retailers and consumers. Consumers in Europe are used to a high level of convenience when purchasing goods and/or services online. The strong customer authentication measures proposed by the EBA, however, threaten the intricate balance in checkout convenience, leading to a more cumbersome authentication process for consumers.

Therefore, targeted authentication provides a better, more balanced and safer alternative to strong customer authentication. Targeted authentication ensures both a high level of online security and a smooth transaction process for the benefit of European consumers, online merchants and the wider economy. We urge the EBA to reflect the need for both a risk-based and a technologically neutral approach by expanding its mandate under the PSD II to include targeted authentication in their RTS.

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

Ecommerce Europe would like to voice its upmost concerns about the provisions on “dynamic linking” as provided under Article 2.2 of the draft RTS. From the point of view of the European e-commerce sector, these provisions, on the one hand, lack technological neutrality and, on the other hand, are unworkable from a consumer perspective. In light of the ongoing technological revolution in mobile devices and growth in mobile (m-)commerce, the provisions proposed appear to be unsuitable for the next progression in e-commerce, thus putting at risk the continuous growth the sector has experienced.
In particular, Ecommerce Europe would like to raise its huge concerns to the EBA regarding the provisions imposing that the channel, device or mobile application through which the information is linked shall be “independent or segregated” from the channel, device or mobile application used for initiating the electronic payment transaction under Article 2.2(b). This continues to be applicable to ‘traditional’ online payments, where the customer undertakes the purchase from a PC and where the transaction may be authenticated through 3DSecure.
However, with respect to the rapid growth of m-commerce, there are significant problems with the proposed provisions. The proposal under Article 2.2(b) to impose an independent or segregated display of the authentication code from the original channel, device or mobile application used for the initiation of the electronic payment transaction, will have a detrimental impact on customer checkout convenience. And it will soon be outdated in an increasingly mobile world. Considering advances in encryption and cyber security, it is possible to ensure that authentication codes are transmitted and displayed securely through different channels and/or mobile applications. Article 2.2(b) suggests that customers will need to carry with them at least two separate devices - one to initiate a payment and one to authenticate the payment. This stipulation is highly impractical. The goal of technological advancements, including wearable devices, has been to improve the consumer experience by allowing him/her to perform everyday tasks from one device.
Furthermore, online merchants do not have control over, or access to, customer’s devices and thus cannot implement separate trusted execution environments on a third party device. Nor can merchants ensure that such a device has not been compromised as suggested under article 6.

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

Regarding item 3.2.1 15 (a. - c.) in the draft RTS, a targeted risk based approach in conjunction with SCA provides a more complex approach to fraud. Regarding item 54, imposing the same criteria to all providers for a transaction risk analysis would not take into account the fact that specific industries, services, providers and situations may present very different risks profiles. For instance, a gambling website is not exposed to the same fraud risk as a retail website selling books. Similarly, not all providers collect the same information about their customers or have the same information available to assess risks. Therefore, the objective of defining a common list of information to be taken into account does not only seem unattainable, but also undesirable. The diversity of fraud risks and attempts, including the fact that certain situations present a very low risk of fraud, is a critical factor to determine a balanced approach in the risk assessment. A risk-based approach towards possible fraudulent transactions, based on data, is a proven effective method to reduce fraud. Rather than define certain minimum criteria the EBA should consider setting risk thresholds for merchants based on available industry norms. A prescriptive approach to how risk-based analysis is performed would limit innovation. The dynamic between fraudsters and PSPs essentially evolves as an arms race. Continual innovation in risk assessment is a critical part of the industry’s defense.

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

The answer is ‘yes’ because the EBA is implementing too rigid of a framework. For question 4, examples of a high-risk, low-value transaction that should be challenged but won’t be under the EBA framework, whereas there will be high-value, low-risk transactions that won’t be challenged. If you have a lot of the former and not many of the latter, you could still end up with a lot of the fraud.

Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?

Article 19.1 of the draft RTS states that account servicing payment service providers (ASPSP) shall offer at least one communication interface for TPPs, taking into account the requirements put forward in the draft RTS. Specifically, article 19.4 continues, “Account servicing payment service providers shall make sure that the technical specification of their communication interface is documented, the documentation made available for free and publicly on their website.”
Ecommerce Europe would like to register its strong concerns regarding the concept of ASPSPs being left to define their own communication interfaces put forward by the draft RTS. As the voice of the European e-commerce sector, Ecommerce Europe, advocates for full harmonization and interoperability. In order to remove persisting barriers for the European cross-border e-commerce sector in online payments, it is vital to have a clearly defined, interoperable and standardized set of communication interfaces. The draft proposals under article 19, however, allow each ASPSP operating within the EU to define its own communication interface, leading to more market fragmentation.
Today, online merchants face too much fragmentation, especially when operating cross-border. This is a consequence of separate alternative e-payment systems, and requires extensive efforts on integration. The opening of the online payments market through the PSDII to new disruptive and innovative companies and payment solutions provides online merchants with cheaper, more accessible and secure payment solutions, which they can offer to consumers. Therefore, to enhance competition, and therefore the health of the e-commerce sector, a standardized framework for API for banks is crucial. This gives room for the market to focus on innovation by removing integration issues. By aiming to remain ‘technologically neutral’ and ‘not prescribe the use of a specific industry standard’ however, the draft RTS fails to support the industry by putting in place a standardized framework to restrict further market fragmentation.

Please select which category best describes you and/or your organisation

[Other "]"

If you selected "Other", please provide details

Ecommerce Europe is the association representing 25,000+ companies selling goods and/or services online to consumers in Europe.

Please select which category best describes the services provided by you/your organisation

[Other"]"

If you selected "Other", please provide details

Ecommerce Europe is the association representing 25,000+ companies selling goods and/or services online to consumers in Europe.

Name of organisation

Ecommerce Europe