Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Go back

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

Yes, we agree. In these last years the electronic payments and card not present transaction has been suffered by several fraud attempts. Strong authentication methods created in the meanwhile seems to have boosted consumer trust on this method of payment. So abandon this best practice could represent a brake on the development of these new services and to the development of these new PSD2 providers

Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.

Yes, we agree. These are common practices consolidated in the last years.

Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?

No, we are not aware of any other risks.
Knowledge: I’m think about the actual rules (minimum length, special characters, numbers, upper and lower case) should be the practices already in place in the “safe” environment
Possession: the access to the mobile phone should be assimilated as a valid way to satisfy the requirement of the ownership of something physical.

Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?

Yes, we agree. The exemption noted by article 98 should have to be let “more freedom” to the new service providers (AISP/PISP) to define a better customer experience.

Question 5: Do you have any concern with the list of exemptions contained in Chapter 2 of the draft RTS for the scenario that PSPs are prevented from implementing SCA on transactions that meet the criteria for exemption?

No, we don’t because these are common practices and operating limit currently used in cardless transactions

Question 6: Do you agree with the EBA’s reasoning on the protection of the confidentiality and the integrity of the payment service users’ personalised security credentials, and the resultant provisions proposed in Chapter 3 of the draft RTS?

Yes, we agree because these are common practices that they are assuring a good level of confidentiality and integrity of all data managed.

Question 7: Do you agree with the EBA’s reasoning on the requirements for common and secure open standards of communication for the purpose of identification, authentication, notification, and information, and the resultant provisions proposed in Chapter 4 of the draft RTS?

Yes, we agree but we suggest introducing an end to end cryptographic system to increase security and privacy

Question 8: In particular, do you agree that the use of ISO 20022 elements, components or approved message definitions, if available, should be required to ensure the interoperability of different technological communication solutions implemented between PSPs for the provision of AIS, PIS or for the confirmation on the availability of funds? Do you see any particular technical constraint that would prevent the use of such industry standards?

Yes, we agree.
The ISO 20022 is a free and open standard, so we don't see any constraint using it.

Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?

Yes, we agree about the choice done by the workshop participannts (option 1), but it should be defined before the PSD2 will come into the force. The proposed date could be October 2017 instead of October 2018 (refers to page. 22 points 74/77)

Question 10: With regards to the frequency with which AIS providers can request information from designated payment accounts when the payment service user is not actively requesting such information, do you agree that the proposed limit of no more than two times a day achieve an appropriate balance between allowing AISP to provide updated information to their users while not negatively impacting the availability of the ASPSP’s communication interface? If not, please indicate what would be in your view the appropriate frequency and rationale for such frequency.

We suggest to increase this value to more than 2 times (i.e.: 12), this change it’s also related to the introduction of the SEPA Instant Credit Transfer and to give to the AIS the availability to offer a better service to the customers

Please select which category best describes you and/or your organisation

[IT services provider "]"

Please select which category best describes the services provided by you/your organisation

[Other"]"

If you selected "Other", please provide details

Systems Integrator, Business consulting, Software development

Name of organisation

NTT DATA

Organisation and governance

Legal and policy framework

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre