RE: European Banking Authority (EBA) Discussion Paper on strong customer and secure communication under PSD2

Dear IG and WG members,

The work of EBA is quite important and will have impact on our work. This comes from the definition of a new type of actor in the playing field: the PISP (Payment Initiation Service Provider).

To summarise, the PISP is a company that will have its own brand at the merchant site  in order for the buyer to click on it to pay. Then the PISP will be able to initiate a credit transfer on behalf of the buyer. The Payment Directive states that the authentication of the buyer should be strong.

Main issues are :
- how for a third party (PISP) to act on behalf of the buyer without risk at the buyer's account level ?
- where and how should the strong authentication apply ? it goes without saying that the PISP wants the minimum authentication measures and the buyer's Bank wants a risk adapted authentication
- how to initiate the credit transfer with security (as an example, one system existing today asks the login/password of the buyer and emulates a web banking session)

Where are the relationships with our work:
1- this system is supposed to provide a unified method of webpayment with SEPA Credit Transfer: this use case is part of the IG charter
2- this system should work for all European countries and it is driven by European Commission (link with W3C) 

This is why I think that the WPIG should work on it quickly.

Best regards

PS: this use case was already raised in my proposal (SCAI)


> -----Message d'origine-----
> De : Ian Jacobs []
> Envoyé : lundi 11 janvier 2016 19:02
> À : Web Payments IG; Payments WG
> Objet : FYI: European Banking Authority (EBA) Discussion Paper on strong
> customer and secure communication under PSD2
> Hi Web Payments IG and WG,
> The EBA has published:
>   Discussion Paper on future Draft Regulatory Technical Standards on strong
> customer authentication and secure communication under the revised
> Payment Services Directive (PSD2)
> 03+%28RTS+on+SCA+and+CSC+under+PSD2%29.pdf
> No action is required; this is just a heads-up, especially about the 8 February
> deadline for comments.
> The W3C staff may put together some feedback regarding open standards
> and the set of current and relevant W3C activities (e.g., the Web
> Authentication Working Group charter in review [1], WebCrypto work, etc.).
> Ian
> [1]
> --
> Ian Jacobs <>
> Tel:                       +1 718 260 9447

Received on Tuesday, 12 January 2016 15:23:04 UTC