This document discusses new technical standards for strong authentication and secure communication required under the Payment Services Directive 2 (PSD2). PSD2 will define new payment service providers with access to customer accounts, and the Regulatory Technical Standards on Strong Customer Authentication and Secure Communication (RTS) establish security requirements for account access. The RTS require dedicated interfaces for account access that ensure security, traceability and availability. Standards are also discussed for payment initiation service providers and account information service providers to identify themselves and communicate securely with account servicing payment service providers. The Berlin Group is working on pan-European payment standards to enable access to bank accounts under PSD2.

1. 1
REGULĒJOŠIE TEHNISKIE STANDARTI STINGRAI
AUTENTIFIKĀCIJAI UN DROŠAI KOMUNIKĀCIJAI
20.06.2017

2. 2
 PAYMENTSERVICESDIRECTIVE(PSD2)
Tiks nodefinēti jauni maksājumu
pakalpojumu sniedzēji
Account information service providers
Payment initiation service providers
kuri turpmāk tiks reģistrēti,
licencēti un regulēti ES līmenī
piekļuve klientu
kontiem konta
turētājiestādē
XS2A
access
to
account
lai atvieglotu klientu norēķinus
e-komercijā
lai nodrošinātu pārskatu par vairākiem
kontiem vienlaicīgi
konta
turētājiestāde
Account servicing
payment service
provider – ASPSP
piemēram Application
Programming Interface
API
konkurence un
zemākas komisijas
maksas
Card-based instrument issuers
lai veicinātu nebanku karšu produktu
attīstību

3. 3
RTSon SCA&CSC
EBA mandāts – no PSD2:
- requirements for strong customer authentication
- exemptions from the application of strong customer authentication
- requirements to protect the confidentiality and integrity of the users' personalised
security credentials
- requirements of common and secure open standards of communication
Iesniegti Eiropas Komisijai 2017. gada februārī
https://www.eba.europa.eu/regulation-and-policy/payment-services-and-electronic-money/regulatory-technical-
standards-on-strong-customer-authentication-and-secure-communication-under-psd2
RTS stāsies spēkā 18 mēnešu laikā pēc apstiprināšanas
Apstiprināšana – 2017. oktobris
Stāšanās spēkā – 2019. aprīlis
FORMA – deleģētā Regula

4. 4
Standards ofcommunication(1)
RTS only apply to payment accounts
Dedicated interface shall ensure the same level of availability and
performance as the interfaces offered to their own customers
Can obtain only the necessary information for the provision of a given
payment service with the consent of the payment service user
individual for each request or as a mandate
individual for each payment to be initiated
interface to use standards of communication developed by international or
European standardisation organisations
ASPSP free to decide: dedicated interface
same interface for identification and
communication with users

5. 5
Standards ofcommunication(2)
General requirements for interfaces
secure identification when communicating
Specific requirements for interfaces
risks of misdirection of communication to unauthorised parties – effectively
mitigated
tracebility
TPP able to identify themselves
TPP able to communicate securely to request information, initiate a payment
order and receive unformation (incl. regarding the execution of the
transaction)
Interface shall allow AISP and PISP to rely on all authentication procedures by
the ASPSP

6. 6
Standards ofcommunication(3)
Available testing facility, including support for connection and functional
testing
Availability requirements/contingency/reporting
technical specification is documented, specifying a set of routines, protocols,
and tools needed to interoperate with ASPSP systems. Available at no charge,
upon request. Information about the changes – at least 3 months before

7. 7
Standards ofcommunication(4)
TPP identification
qualified certificates for electronic seals (Art.3(30)) or for website
authentication (Art.3(39)) of Regulation (EU) No 910/2014
Security of communication
secure sessions
requirements for qualified certificates
confidentiality of credentials
data exchanges
PISP to provide ASPSP the same information as requested from the user
when initiating the payment directly
AISP can access information even if the user does not actively request it
(no more than 4 times in 24h)

8. 8
Berlingroup (1)
Pan-European payment interoperability standards and harmonisation
initiative – to define open and common standards in the intebank domain

9. 9
Berlingroup (2)
NextGenPSD2 Initiative  (13 June 2017) announced the creation of an
open, common and harmonised European API standard to enable TPPs to
access bank accounts under the PSD2
The standard will offer operational rules and implementation guidelines with
detailed data definitions, message modelling and information flows based on
RESTful API methodology
Q3 2017 consultation with the market
Q4 2017 full detailed standard
Papildus info: http://www.berlin-group.org/psd2-access-to-bank-accounts

10. 1001
Deniss Fiļipovs
Maksājumu sistēmu politikas daļas vadītājs
Maksājumu sistēmu pārvalde
Latvijas Banka
tālrunis: 6702 2483
e-pasts: deniss.filipovs@bank.lv