- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 2 Dec 2016 15:39:02 +0100
- To: Siva Narendra <siva@tyfone.com>
- Cc: public-web-security@w3.org
- Message-ID: <49777811-f065-f402-ec8b-42afde3c8e9b@gmail.com>
On 2016-12-02 14:32, Siva Narendra wrote: > > It is no surprise Visa is against PSD2 in Europe. In a nutshell it will allow payments to occur between bank accounts without the incumbent paymeny networks. Tall order from an implementation perspective. New associations are being formed to deal with security. > In the published paper VISA refers to something which probably is a challenge for all payment providers, the ability to perform payments on a user's behalf without performing a "regular" user authorization. This comprises a large number of rather disparate use-cases like automated payments of utility bills, traditional consumer e-commerce like Amazon.com, and "social payments" like Venmo. From the document: "You will no longer be able to make... - one-click online checkouts even at stores you shop at all the time - fast, automatic payments where your card is already securely stored" There's IMO (at least) one thing missing from the EBA plot; a standardized and secure way for a user to authorize such a delegation of power. This would obviously need to involve the account holding entity as well since it requires knowledge about the party being given delegated rights to. However, if you are Amazon, Netflix, Apple, Google, Facebook etc. I doubt that EBA/EU concerns carry much weight, particularly when there are no solutions available :-) Anders > Interestingly real-time ACH in the US would accomplish the same thing with our a mandate like PSD2. > > While both these will require use case changes and therefore will take time for adoption, the days of bank accounts being used for payments without the traditional payment networks are inevitable. It has already happened in China. US and EU time constant 3 to 5 years. > > > On Dec 2, 2016 3:01 AM, "Anders Rundgren" <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > > There's a new EU directive called PSD2 requiring banks to "open up" accounts to third-party access. > This requires new levels of authentication. > > Not everybody see this as realistic or useful. Here is VISA's public protest against PSD2 authentication requirements: > > https://www.visaeurope.com/media/images/psd2%20position%20paper%20nov%202016-73-40837.pdf <https://www.visaeurope.com/media/images/psd2%20position%20paper%20nov%202016-73-40837.pdf> > > "You will no longer be able to make... > - one-click online checkouts even at stores you shop at all the time > - fast, automatic payments where your card is already securely stored" > > Anders >
Received on Friday, 2 December 2016 14:39:54 UTC