Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
Exemptions should not be exhaustive and mandatory, but the ASPSP, being primarily responsible for refunding the payer, should have a mandate to self-determine where to apply SCA. It should be considered if exemptions to SCA could also be based on transaction-risk analysis performed by PSPs. Predefined fixed rules are also cut out for weakening user experience and user convenience considerably in cases where SCA does not actually enhance payment security. This dilemma typically occurs in mobile P2P payments where account information is linked to a mobile phone number. It should be sufficient that the payer registers into the service using strong authentication and then uses the service with simpler means of authentication when intiating a single payment. Also for recurring card payment transactions, SCA of the payer should only be required for the first transaction. The RTS should be updated to reflect Rationale 17.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
The draft is not fully technology neutral, e.g. Article 1(2). Technical details should be left to service providers to decide in order to be able take e.g. device, channel and service into consideration. We would prefer more general approach to detailed lists. References to certain technologies (as examples) could be included in recitals. We suggest that EBA would consider to align requirements for SCA with the EU Commission’s Implementing Regulations on the Level of Assurance (EU 2015/1502, OJ 9.9.2015 L 235) and the Interoperability Framework (EU 2015/1501, OJ 9.9.2015 L 235) for electronic identification. Requirements to be imposed by the RTS should not substantially differ from general requirements under e-IDAS Regulation in order to enhance electronic identification (strong authentication) at the Union level. As to Article 1(3)(b), the payer should be informed to certain extent on what went wrong. For example, if the payer enters the wrong PIN for a card transaction, it is common practice to display “Wrong PIN” in the terminal. The article should therefore be revised.Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
PSD2 recital (96) states inter alia that “those measures typically include encryption systems based on personal devices of the payer, including card readers or mobile phones, or provided to the payer by its account servicing payment service provider via a different channel, such as by SMS or email.” The term “channel” in Article 2(2)(b) is ambigious. Usage of the same device for actual payment initiation and authorisation should be possible as far as initiation and authorisation are logically independent from each other. It should be possible e.g. to iniate a payment transaction online in netbank and authorise it via SMS. Respectively, it also should be possible to segregate initiation and authorisation at application or protocol levels.Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
No comment.Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
We should refrain from setting exemptions for SCA based on fixed amounts in order to maintain appropriate risk management measures and risk level. Requirements for authentication should be applicable dynamically according to the prevailing circumstances. In general, there should be an option for the PSP of the payer to apply exemptions to SCA based on its’ own risk analysis. In the same way, the exact criteria for such risk analysis should be based on criteria that the payer’s PSP deem relevant in order to reduce fraud and risk to an acceptable level. Such flexibility would allow for continued innovation in fraud prevention and analysis. Mandatory exemptions might also conflict with other Union and national legislation and regulations imposing requirements for e.g risk management or electronic identification.Exemptions should not be exhaustive and mandatory, but the ASPSP, being primarily responsible for refunding the payer, should have a mandate to self-determine where to apply SCA. It should be considered if exemptions to SCA could also be based on transaction-risk analysis performed by PSPs. Predefined fixed rules are also cut out for weakening user experience and user convenience considerably in cases where SCA does not actually enhance payment security. This dilemma typically occurs in mobile P2P payments where account information is linked to a mobile phone number. It should be sufficient that the payer registers into the service using strong authentication and then uses the service with simpler means of authentication when intiating a single payment. Also for recurring card payment transactions, SCA of the payer should only be required for the first transaction. The RTS should be updated to reflect Rationale 17.