The European Banking Authority (“EBA“) has published its consultation paper (the “Consultation Paper“) on its proposed regulatory technical standards (“RTS“) relating to:
- the requirements of strong customer authentication (”SCA“);
- the requirements for protecting the confidentiality and the integrity of the payment service users’ (“PSU“) personalised security credentials (”PSC“); and
- the requirements for common and secure open standards of communication between account servicing payment service providers (such as banks) (”account servicing PSPs“), payment initiation service providers (”PISPs“), account information service providers (”AISPs“), payers, payees, and other payment service providers (”PSPs“).
PSD2 as a whole is due to be implemented on 13 January 2018, although the security measures referred to in PSD2 (that will be further addressed by the RTS) will only apply 18 months after the RTS’ adoption by the European Commission: at the time of publication, this is expected to be October 2018 at the earliest.
This e-alert sets out the ten key points arising from the Consultation Paper that are most likely to be of interest to industry players.
The Top Ten
- The EBA has given details of the SCA procedure. Subject to exemptions (see below), each time the payer accesses their account online, initiates an electronic transaction, or carries out any action through a remote channel which may imply a risk of payment fraud or other abuse, the PSP must generate an authentication code that is given to the user for them to input into the relevant PSP interface. The draft RTS specifies that the authentication code must have certain security features, including algorithm specifications, length, and expiration time.
- Transaction-risk analysis will not be an exemption to SCA. In its Consultation Paper, the EBA recognises that while there was “merit in implementing a transaction risk-analysis as part of the [SCA] procedure [… it] was not able to identify which minimum set of information the RTS should require […] to be sufficiently reliable to allow a specific exemption.“ This will be a source of some frustration to industry players who had hoped to use transaction-risk analysis as an exemption to SCA.
- High bar set for the inherence element. The EBA specifies that devices or software provided to the payer in order to read the authentication elements “categorised as inherence” must be characterised by security features such as algorithm specifications and biometric sensors. The EBA sets a high bar for using inherence elements as the security features must “guarantee a sufficiently low likelihood of an unauthorised party being authenticated as the legitimate payment service user” (emphasis added), and their use must be subject to measures “that ensure that the devices and the software provided to the payer guarantee resistance against unauthorised use of the elements“ (emphasis added).
- The EBA gives details on how PSPs will apply “dynamic linking”. Electronic remote transactions (such as internet or mobile phone transactions) require an additional layer of authentication, called “dynamic linking”. This is the inclusion in SCA of elements that dynamically link the transaction to a specific amount and a specific payee. The EBA has specified a number of requirements for dynamic linking, which include requirements that: (a) the payer must be made aware at all times of the amount of the transaction and of the payee; (b) the authentication code must be specific to the amount of the transaction and the payee; and (c) the authentication code must change with any change to the amount or payee.
- Exemptions to dynamic linking. PSPs do not have to apply dynamic linking to electronic remote payment transactions where (broadly): (a) the payer initiates online a credit transfer where the payee is included in a list of trusted beneficiaries; (b) the payer has initiated online a series of credit transfers with the same amount and the same payee; (c) the customer sends money to another account in its name held by the customer’s account servicing PSP; or (d) transactions are valued at €10 or less, until such time that the cumulative value of the transactions without SCA reaches €100 (at which point SCA will apply). PSPs should be aware that there are carve-outs to these exemptions.
- Access to non-sensitive payment data is exempted from SCA. PSPs do not have to apply SCA where (broadly) the customer accesses exclusively either information on its payment account online or the consolidated information on other payment accounts held, and there is no disclosure of “sensitive payment data” (defined in PSD2 as “data, including personalised security credentials, which can be used to carry out fraud. For the activities of [PISPs] and [AISPs], the name of the account owner and the account number do not constitute sensitive payment data“). PSPs should be aware that there are carve-outs to these exemptions.
- Low-value contactless payments are exempted from SCA. PSPs do not have to apply SCA where the payer initiates a contactless electronic payment at a point of sale that is valued at up to €50. However, once the cumulative amount of previous non-remote electronic payment transactions initiated by the contactless card exceeds €150, PSPs will have to apply SCA.
- Account servicing PSPs must create at least one “interoperable” interface. This interface must enable secure communication with all relevant PSPs (such as AISPs and PISPs). The interface’s technical specification must be documented and freely available on the account servicing PSP’s interface. While the account servicing PSP may provide a separate online banking platform for its PSUs, both interfaces must offer the same level of service.
- There are no exemptions to the requirement to have in place adequate security measures to protect the confidentiality and integrity of customer’s personalised security credentials.
- The SCA procedure must include mechanisms to prevent, detect and block fraudulent transactions before the PSP’s final authorisation. The mechanisms should take into account, for example, information about the customer’s device, and whether there are any signs of malware infection in the session or known fraud scenarios.
To ensure proper identification of PSPs when they interact, the EBA proposes to require PSPs to rely on qualified certificates for website authentication issued by a qualified trust service provider under the EU Regulation 910/2014 on Electronic identification and trust services for electronic transactions in the internal market (the “e-IDAS Regulation“). The certification shall refer to the PSP’s regulatory authorisation number, and state its role (i.e. account servicing PSP, PISP, AISP or PSP issuing card-based payment instruments) and the name of the relevant competent authority (such as the Financial Conduct Authority).