Quali-Sign Banking. An example of how to meet the PSD2 segregation requirements. Michael Adams 3 rd November Quali-Sign Ltd

Transcription

1 Quali-Sign Banking Quali-Sign Ltd An example of how to meet the PSD2 segregation requirements. Michael Adams 3 rd November Quali-Sign Ltd michael_adams@quali-sign.com

2 Context The PSD2 segregation requirement: The channel, device or mobile application through which the information linking the transaction to a specific amount and a specific payee is displayed shall be independent or segregated from the channel, device or mobile application used for initiating the electronic payment transaction. Purpose: Many of the responses to the EBA s consultation paper on SCA and CSC raised concerns about this segregation requirement. The purpose of this paper is to demonstrate that segregation can be achieved via existing open banking communication standards. 2

3 Achieving Segregation: Online Retailer Scenario Process Flow Consumer (Debtor) Debtor Bank Interbank Space Creditor Bank Retailer (Creditor) 1. Initiate online purchase via Retailer s web site or mobile app 2. Receive purchase order 4. Receive 5. Notify debtor that a payment is awaiting SCA 3. Submit ISO payment order (without SCA) 6. Sign (add SCA) via mobile app Status : ACCP Status : ACCP 7. Signature Valid Yes Yes 8. Technically Valid Yes 9. Customer Profile Valid Yes 12. Valid Yes 13. Make Funds Available Credit Advice Status : ACSP 10. Timestamp, reserve amount & submit 11. Valid Release Goods Status : ACSC 14. Receive Confirmation Message 3

4 EBICS: Electronic Banking Internet Communication Standard A common standard for banks and customers, based on HTTP(S) and XML. A European standard: The EBICS SCRL is responsible for the advancement and maintenance of the EBICS standard. Countries can join the EBICS SCRL. Supports exchange of ISO20022 format messages. Highly secure: Extensive use of cryptographic functions for encryption and digital signatures. Plus: Support for X.509 certificate authority issued certificates. Standard API s to initialize and manage users, including certificate exchange. Centralized management of customer and user entitlements. In built entitlements validation and (distributed signatures) authorisation workflow. An open standard: Includes a detailed specification. Turn-key EBICS software is available from established vendors. A low risk option to meet the PSD2 regulatory requirements for CSC. EBICS coverage Regulatory Recommended 4

5 Achieving Segregation via EBICS High Level Architecture User Devices Debtor Bank API Gateway Certificate Authority Consumer (Debtor) Mobile App (EBICS Client) Browser or Mobile App HTTPS HTTPS Online Retailer EBICS Client User EBICS Server Profile Credentials Entitlements Authorisation Workflow Initiation Reporting 5

6 Achieving Segregation via EBICS High Level Architecture User Devices 3. Consumer (debtor) reviews payment details and signs (applying SCA) via mobile app. Debtor Bank API Gateway Certificate Authority Consumer (Debtor) Mobile App (EBICS Client) HTTPS 1. Consumer initiates online purchase via retailer web site or mobile app. Browser or Mobile App HTTPS Online Retailer EBICS Client User EBICS Server Profile Credentials Entitlements Authorisation Workflow Initiation Reporting 5. Debtor bank validates signature and payment instruction, transmitting instruction to creditor bank via clearing. 2. Retailer submits ISO payment order (without SCA) to debtor bank. 4. Debtor bank places the payment order in the EBICS (distributed signatures) authorisation workflow. 6

7 The Quali-Sign Banking app (QSB) Multi banking app for corporate users. Connects to banks via the EBICS protocol using X.509 certificates. Review & approve (or cancel) banking orders. Payment status monitoring. Authenticate and sign with fingerprint or PIN. Supports PDF plus ISO20022 (CGI) formats PAIN.001v3, PAIN.002v3, PAIN.008v2, ACMT.007v1 Currently only available for Android. Please note: All proof of concept requirements were met solely via configuration of a demonstration EBICS server. No additional enhancements were made to the Quali-Sign app. The Quali-Sign app is tailored to target the business / corporate user market. Enhancement of the app for the retail consumer market is out of scope for this proof of concept. 7

8 Demonstration / Proof of concept (1 of 3) From within the Quali-Sign app, the user can view their profile and permissions. They can also view the profile and permissions of the other users registered against their subscription on the EBICS server. In this example, XYZ Europe is a retailer that is permitted to initiate SEPA Instant Payments against the user s Euro account. 8

9 Demonstration / Proof of concept (2 of 3) The retailer (XYZ Europe) initiates a payment instruction to the consumer s (debtor) bank. The retailer transmits an ISO PAIN.003 v3 message via the EBICS protocol. 9

10 Demonstration / Proof of concept (3 of 3) The user is then notified on their mobile phone that there is a payment order awaiting their approval. Strong Customer Authentication (SCA) is applied with a cryptographic key (possession) plus fingerprint (inheritance) or PIN (knowledge). The key is locked into the secure hardware/software zone of the mobile phone. 10

11 Appendix : Glossary (1 of 2) AISP ASPSP API CGI Account Information Service Provider : An online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider (see PSD2) Account Servicing Payment Services Provider: A payment service provider providing and maintaining a payment account for a payer. (see PSD2) Application program interface. A set of routines, protocols, and tools for building software applications Common Global Implementation HTTPS PISP POC PSD2 Hypertext Transfer Protocol within a connection encrypted by Transport Layer Security Payment Initiation Services Provider: A service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider (see PSD2) Proof of Concept DIRECTIVE (EU) 2015/2366 on payment services in the internal market CSC Common Secure Communication PSP Payment Services Provider e.g. Credit Institution; Electronic money institution; Post office giro institution; Payment institution; ECB; National central bank (see PSD2) EBA European Banking Authority PSR Payment Status Report EBICS Electronic Banking Internet Communication Standard PSU Payment Services User : A natural or legal (company) person making use of a payment service in the capacity of payer, payee, or both. (see PSD2) 11

12 Appendix : Glossary (2 of 2) QSB RTS SEPA SCA SCRL XML Quali-Sign Banking Regulatory Technical Standards, submitted to the European Commission for endorsement (and entry into force). Single Euro Payments Area Strong Customer Authentication Société Coopérative a Responsabilité Limitée (Cooperative Limited Liability Company) Extensible Mark-up Language ISO Payment Statuses RCVD RJCT PART PDNG ACTC ACCP ACCW ACSP ACSC Received: Payment message has been received by the receiving agent. Rejected: The rejection of a payment message, batch or transaction. This ends the life of the payment initiation. Partially Accepted: Payment message or batch contains transactions with a mix of (accepted / pending / rejected) statuses. Pending: A transaction is being be held awaiting further checks. Further status updates will be provided. Accepted Technical Validation: Authentication and semantic validation was successful. Accepted Customer Profile: Technical and customer profile validation was successful (incl. assessment of static risks). Accepted With Change: The instruction is accepted but a change will be made. Accepted Settlement In Process: Technical and customer profile validation was successful (incl. assessment of both static and dynamic risks). The payment initiation has been accepted for execution. Accepted Settlement Completed: The settlement on the debtor's account has been completed. 12