Last November saw the adoption of the Delegated Regulation on Regulatory Technical Standards (RTS) by the European Commission. The objective of this regulation is to provide for Strong Customer Authentication (SCA) and establish secure channels of communications.
These standards provide a broad and comprehensive technical framework for the implementation of customer authentication for payment services in both online and physical point-of-sale locations.
The standards also reference the use of electronic identification and trust services as set out in the eIDAS Regulation (Regulation (EU) No 910/2014). The eIDAS standards provide a way for customers, businesses and public service providers to offer and receive services based on national electronic IDs. eIDAS also provides for electronic signatures, timestamps, electronic seals, website authentication and other electronic trust services which are to be used where appropriate.
The eIDAS linkage
A combination of these technical standards, along with the guidelines in the PSD2 directive and the eIDAS regulation will provide a complete and secure package to the payments industry. For example, as per the technical standards, payment providers must rely on "qualified certificates for electronic seals" as per the eIDAS regulation. The specific requirements for these certificates are defined in Annex III of the eIDAS Regulation. RTS also requires a "qualified certificate for website authentication" which must be issued by a qualified trust service provider in accordance with Annex IV of the eIDAS regulation.
The technical standards are thus making full use of the authentication and identification standards defined in detail in the eIDAS regulatory standards. This ensures that best in class identification and authentication tools are in place while relying on the existing infrastructure to achieve maximum cost efficiency. The effective use of the tools provided under eIDAS also means that third party solution providers (like Account/ Payment Information Service Providers) can also participate and offer the same level of security and protection as the primary financial institution.
Exceptions and safeguards
While establishing strong authentication is paramount in a payments system, it is also important to maintain technological neutrality. The RTS takes this into account and rather than specifying solutions like OTP, digital signatures or other specific cryptographic techniques, it keeps the option open as long as the security requirements are met.
This neutrality applies not only to the authentication system but to various business models for payment processors as well. For example, low value payments (less than EUR 30), proximity payments, certain types of remote payments have certain exceptions in place which allows them to operate with minimum encumbrance within the framework of the RTS. Exceptions are subject to specific thresholds in terms of amount, risk, payment method and so on.
Corporate payment systems (as opposed to retail) usually employ different protocols for authorizing payments transactions (like physical authenticators, multi-person authentication etc.) and RTS allows exemptions here subject to the satisfaction of the competent regional authorities.
References and Further Reading
- COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
- Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures (2014-todays), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission
- Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission
- REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
- Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
- Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
- NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
- Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority