What you should know about the EPC’s response to the EBA’s discussion ...

What you should know about the EPC’s response to the EBA’s discussion paper

EBA seeks preliminary input to Regulatory Technical Standards in support of PSD2

09 March 16

Share This

The formulated a number of general considerations

The is of the opinion that in order to allow evolving market solutions and innovation, should be robust and technology-neutral. This means that they should be, as much as possible, principle-based, and should not define specific technical standards or include exhaustive lists of examples. They should establish clear criteria which allow the adoption of new standards that could potentially be developed in the future. In addition, the must be open for all business, technical, legal and operational models and must facilitate the creation of an environment that is fair with clear delineation of risk and liability. Moreover, the principles for strong customer authentication and the interoperability specifications for communications should be based on internationally recognised and open standards, instead of only devising a European approach.

Given the multiple scenarios in where may grant authorisation to third parties in order to access their information, or to act on their behalf, it is fundamental that the developed by the do not impose restrictions on the ability of European Payment Service Providers () to develop homogeneous services at a global level.

The ’s suggestions concerning strong customer authentication

The defines strong customer authentication as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.” This definition has resulted, during recent months, in lengthy debates on the precise criteria for independence of the two authentication factors, especially when certain customer devices such as mobile phones are used. However, the affirms that the actual challenge, with respect to strong customer authentication, is the sole control and possession by the of the authentication factors, rather than the independence of these factors. Moreover, the focus should instead be on a risk-based authentication model whereby additional information, such as customer related behaviour-based characteristics, could serve as additional input. The use of complementary authentication methods, in circumstances where detected risk patterns rise above predefined critical thresholds, is the preferred manner to limit risk and ensure optimal transaction security levels at all times.

Furthermore, it is also important to note that as long as strong customer authentication is not imposed globally, there will not be a significant reduction in international fraud, especially in relation to card-based transactions. Attackers will continue to harvest card data, independently of the sophistication of the strong authentication, and make use of it with non-European merchants.

The maintains that should not share their personalised security credentials with third party providers

According to the , certain credentials can be made accessible to Third Party Providers (*). However, it is understood that the aims to give control over the information that is shared this way. When using an application programming interface () approach, the should take into account that there are technological solutions through which credentials are only used between the account servicing and the , and yet the gets the functionality and information they need. To achieve the aims set out by the European Commission, the continues to believe that it is not necessary for to share their personalised security credentials with a .

In contrast, the authentication codes which could potentially be exposed to a should be bound to a specific payee and specific amount, so that the exposure constitutes no risk for the , irrespective of whether these authentication codes are exposed to the right or the wrong intermediary.

The ’s view on secure communications between

With respect to the interface and communications between the account servicing and , internationally established corporate banking interfaces could be leveraged, towards a standardised uploading and downloading of single transaction or account data by . As most of them require the client side to work with Public Key Infrastructure (PKI) certificates, this could match the normal server-based access from environments.

The recommends that the following topics be addressed in the :

  • Specification of generic request, response and authentication messages, irrespective of the underlying communication protocol;
  • Specification of at least one appropriate communication protocol, to be supported by all registered participants;
  • Specification of a certification authority that supports easy and up-to-date authentication of authorised (e.g. through the issuing of attribute certificates);
  • Governance (management of liabilities and claims).

The encourages synergy with e-IDAS Regulation

Indeed, the e-IDAS Regulation specifies principles and requirements regarding identity and authentication levels. According to the , it represents an opportunity for European customers to benefit from harmonised principles of identification and authentication across Europe. However, the e-IDAS Regulation has been developed to secure an authentication of an identity, and not the authenticity and integrity of a payment transaction. e-IDAS deals with the levels of assurance of personalised security credentials for sole control. The levels of assurance for personalised security credentials will also have to be specified for customers and in the context of . The strongly encourages alignment with the assurance levels defined by e-IDAS for simplicity, intelligibility and reusability reasons. The dialogue and close collaboration on these matters between the EU institutions and the public and private sectors will be crucial in order to devise secure and effective solutions into that context and, more broadly, as part of the Digital Single Market, especially in circumstances where both the e-IDAS Regulation and the would apply.

*This term refers to the Payment Initiation Service Providers and Account Information Service Providers as defined in the , Art 4.

Ruth Wandhöfer is the Chair of the Payments Security Support Group and Global Head Regulatory & Market Strategy Citi Treasury and Trade Solutions of the Citi Group.


Related links:

EBA’s discussion paper on strong customer authentication and secure communication under PSD2

Directive on Payment Services (PSD)

Regulation (EU) No 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market

Related articles from the website and newsletter:

EPC Blog - PSD2: Almost final – a state of play

Your reactions

If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.