Payments from a European Digital Identity (EUDI) Wallet

The European Digital Identity Wallet (EUDI Wallet) is at the forefront of the European Commission's eIDAS initiative to establish a secure and user-friendly digital identity framework for citizens across the European Union, in order to securely store and manage various digital identity data such as driving license, permits, health cards, diplomas, etc. Beyond identity management, the EUDI Wallet also offers a secure payment solution that leverages the Payment Services Directive 2 (PSD2) and Single Euro Payments Area Credit Transfer (SCT) method. This article explores the features of EUDI Wallet, the process of PSD2 payments, and the stringent security measures employed by wallet providers to protect user funds and data. Discover how EUDI Wallet combines digital identity and payment services to provide a comprehensive and secure user experience.

The secure payment systems provided by EUDI wallets are different from the more traditional mobile wallet apps (Apple Wallet, Google Pay, Samsung Pay etc) for payments. The European Digital Identity Wallet providers intend to use Payment Services Directive 2 (PSD2) and Single Euro Payments Area Credit Transfer (SCT) method for payments rather than NFC contactless payment methods aligned to the card schemes and EMV.

PSD2 is a European Union regulation that aims to create a more open and competitive payments market. Under PSD2, banks are required to provide third-party providers (TPPs) with access to their customers' accounts, with the customer's consent, through APIs (Application Programming Interfaces). There are two main types of TPPs that can access a customer's account under PSD2: Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs).

EUDI wallet providers will be PISPs and can initiate payments on behalf of the customer, without the need for a credit or debit card.

How does a payment operate?

The process of a PSD2 payment involves several steps:

1. Payer initiates payment: The payment process begins when the payer (the customer who wants to make a payment) initiates the payment through a PISP (the EUID wallet). The initiation could be via a QR code provided by the merchant that will launch the EUDI wallet and prepopulate the payment instruction.

2. Payer authentication: The payer is then redirected to their bank's online banking platform or mobile app to authenticate the payment using strong customer authentication (SCA). This typically involves providing two or more factors of authentication, such as a password or biometric data like a fingerprint or facial recognition.

3. Payment initiation: Once the payment is authenticated, the PISP sends a payment initiation request to the payer's bank via an API, providing details of the payment amount, payee information, and other relevant information.

4. Payee authentication: The payee's bank then checks the payment request and authenticates the payee using their own security measures to ensure that the payment is legitimate.

5. Payment processing: Once the payee is authenticated, the payment is processed through the interbank payment network, such as the SEPA (Single Euro Payments Area), which enables the transfer of funds between banks. The payee's bank responds back to the PISP, confirming that the payment has been processed.

6. Payment settlement: The final stage of the payment process involves the settlement of funds between the payer's and payee's banks. This can take several days to complete, depending on the payment method and the banks involved.

Digital wallet security

PISPs that offer wallet services must adhere to strict security requirements to ensure the safety of their customers' funds and personal data. Here are some of the security requirements that PISP wallets must follow:

1. Strong Authentication: PISP wallets must have a strong authentication mechanism to ensure that only authorized users have access to the wallet. This may involve the use of multi-factor authentication, such as a combination of passwords, biometrics, or security tokens.

2. Encryption: All wallet-related data should be encrypted both in transit and at rest to prevent unauthorized access. The encryption should be strong enough to ensure the confidentiality, integrity, and authenticity of the data.

3. Secure storage: PISP wallets must store data securely to prevent unauthorized access and hacking.

4. Regular security audits: PISPs should conduct regular security audits of their wallet systems to identify and address any security vulnerabilities. This includes penetration testing, code reviews, and vulnerability scans.

5. Compliance with regulatory requirements: PISPs must comply with all relevant regulatory requirements, such as PSD2 and GDPR, to ensure the security and privacy of their customers' data.

6. Incident response plan: PISP wallets should have a robust incident response plan in place to deal with security incidents. The plan should be regularly reviewed and updated to ensure that it is effective in responding to new threats.

7. User education: PISP wallets should educate users on best practices for keeping their funds and personal data safe. This includes advising them to use strong passwords, enabling two-factor authentication, and warning them against phishing scams.

The requirements are very similar to those required to protect digital identities, therefore, making an EUDI wallet very suitable as a vehicle to provide payment services.

In summary

The EUDI Wallet achieves a unique balance between security and user convenience by implementing advanced security measures while ensuring a seamless user experience. With robust encryption, authentication, and secure storage of data, the wallet safeguards sensitive information and protects against unauthorized access.

To enhance user convenience, the EUDI Wallet integrates with various digital services, allowing users to easily access public and private online platforms using their stored identification documents. Moreover, the wallet simplifies payment transactions by leveraging the Payment Services Directive 2 (PSD2) and Single Euro Payments Area Credit Transfer (SCT) method, enabling users to initiate payments directly from their wallet without the need for credit or debit cards.

By combining stringent security measures with user-friendly features, the EUDI Wallet offers a seamless and trustworthy experience, ensuring that users can securely manage their digital assets and perform transactions across borders with ease and peace of mind.

Cryptomathic specializes in mobile app protection and digital identities & signatures in the eIDAS space. The Cryptomathic Mobile App Security Core provides advanced mobile security solutions for app developers, including in-app security, RASP, and a back-end assurance service that are effective in addressing requirements 1, 2, and 3. Its security design also enables easy fulfillment of requirements 4 and 6.

Download the white paper detailing optimal methods for safeguarding the EUDI wallet app or contact Cryptomathic to discuss your requirements.