Topic AA - Support of Electronic Payments Customer Authentication (SCA) with the Wallet #582
Replies: 13 comments 38 replies
-
|
Hi, Phin 10 |
Beta Was this translation helpful? Give feedback.
-
|
Dear ARF team, Thank you for preparing the AA discussion paper. I would like to offer the following views/comments:
A strong yes from my side. Let's consider the opposite: If such a control is missing, then any (including malicious) Relying Party will be able to invoke "confirm payment" or "log in to your bank" screens in the user's EUDIW by combining the respective transaction data type with a request for any, including non-related, attestation. If that RP then serves some well-faked pages to the user (e.g., "Login successful. By the way, you must update your password. Enter current password here: ___"), this will allow for very powerful phishing attacks. That said, this check alone will likely not be enough, as we can assume that the certificate/registrar regime to limit RPs regarding which attestations they can request will not be perfect in the field, and some fraudsters will slip through. It therefore needs to be combined with a robust 'embedded disclosure policy' feature which allows issuers to exercise control over which RPs can request their SUA attestations. HLR EDP_07 of Topic 43 in Annex 2 currently only requires the Wallet Unit to show a Deny or Allow dialogue to the user in case the RP does not match the policy. I therefore propose that for SUA attestations, Wallet Units should enforce these policies. |
Beta Was this translation helpful? Give feedback.
-
|
One important aspect missing in this discussion is the topic of fraud signals from the perspective of a payment service provider. The financial sector today uses advanced analytics techniques together with a rule-based holistic approach across service domains collecting and analysing user transaction data to be able to react on fraudulent behaviour. These kinds of systems are depending on collecting user audit events with information from different service domains, channels, client applications, devices, etc to be able to get a holistic view of user activities over time and risk score a particular transaction.
The revised eIDAS Regulation, which guides the ARF's development, does not address the use of external data to combat fraud. In fact, it includes strict privacy limitations, particularly for Wallet Providers. As per Article 5a14, Wallet Providers are restricted from collecting unnecessary information about a wallet's use, or combining personal data from the wallet with data from other services without the user's explicit request. Therefor this is not only a technical issue, but also a regulatory one. The integration of the EUDI Wallet as an optional authenticator must be carefully managed to avoid any dilution of the robust security measures currently implemented by the banking sector. |
Beta Was this translation helpful? Give feedback.
-
First of all, I agree that -- as suggested -- the relevant functional requirements in this section 4.2 should be covered in a/multiple Technical Specification(s). In terms of HLRs, to me the following aspects appear to be specific/noteworthy and would benefit from being called out as requirements:
|
Beta Was this translation helpful? Give feedback.
-
|
As part of the work produced by EWC and NOBID on payments with EUDIWs, we have identified one functional requirement for wallets to improve security when it comes to man-in-the-middle attacks: "When receiving a request for an SUA Attestation including transaction data, the wallet SHALL bind its response to the requesting Relying Party e.g. by putting the RP's public key, which the wallet knows and has validated as part of the signed Authorization Request as per HAIP, into the 'aud' claim of the KB JWT accompanying the SUA Attestation." We imagine that this requirement may be useful also as a general rule (i.e. not only in the context of SUA attestations/transaction data), but we are unaware whether it has already been captured elsewhere. We are happy to engage in a discussion to find an appropriate "home" for this requirement. |
Beta Was this translation helpful? Give feedback.
-
|
Dear ARF team, Thank you for hosting the second consultation call on 1st October and preparing the updated AA discussion paper v0.95.
For SD-JWT VC over OID4VP, I believe the native capabilities of the protocol are sufficient given that the spec defines in detail how incoming transaction data needs to be handled and included in the response's KB JWT. For mdoc/mDL, I took from yesterday's call that we may need to profile the spec as part of the upcoming TS12 to guarantee uniform handling of transaction data in the wallet's response and specifically compliance with Dynamic Linking. Happy to contribute. |
Beta Was this translation helpful? Give feedback.
-
|
As an outcome of the first consultation call on 24th September, there was broad consensus in the group that we need to introduce provisions to prevent the scenario where a (malicious) Relying Party will be able to invoke "confirm payment" or "log in to your bank" screens in the user's EUDIW by combining the respective transaction data type with a request for any, including non-related, attestation. To address this topic, the AA discussion paper v0.95 introduces a new SUA_07. For the record, I would like to note that the wording of this HLR does not reflect the group consensus because it fails to meet the objective, given that it leaves the wallet's behaviour undefined for the non-happy path. I propose a more detailed handling as follows:
The second point is in line with the current solution for embedded disclosure policies, which is a comparable scenario as they aim to protect the user from presenting an attestation to an unwanted relying party. The warning mechanism is specified in EDP_07. |
Beta Was this translation helpful? Give feedback.
-
|
SCA in the EUDIW must not fall short of the standards set by FIDO. It should deliver at least a Level of Assurance (LoA) “Substantial” to “High” as required by regulations such as eIDAS and PSD2, and align with the expectations of the financial industry. Dear ARF team, While OpenID4VP is an important protocol component, it only addresses part of what a complete SCA solution requires. It does not cover several critical aspects, including:
Given these broader requirements, FIDO should be considered as a foundation for implementing SCA within the EUDIW. Its proven security properties, wide industry acceptance, and regulatory compliance make it a strong candidate to ensure robust, future-proof authentication. |
Beta Was this translation helpful? Give feedback.
-
|
Below are comments jointly provided by Quali-Sign Ltd and SGM Consulting By way of introduction, our assessment of EUDIW SCA processes is primarily based on our reading of eIDAS article 5f2 stating that (i) EUDIW are capable of performing SCA when requested by the wallet user and (ii) EUDIW SCA must be accepted by banks. We see this as having two major implications: SCA is structurally geared towards evidencing payer’s consent to payment, a legal requirement for ASPSPs allowing them to avoid liability when releasing payers’ funds. In order to be fully effective, the proof package of SCA should legally reverse the burden of SCA proof - from the party claiming that SCA had validly taken place to the party claiming that SCA did not validly take place. On section 3 Use cases It should be confirmed that “Issuer-requested flows” primarily relate to redirection SCA processes (with the caveat that the “Issuer-requested flows” terminology appears deficient as banks, contrary to payees, do not ‘request’ payments but rather validate and process payment instructions received from payers). It should also be confirmed that “payee-requested flows” imply embedded SCA. Note: We see embedded SCA as having considerable value-creation potential in terms of enhanced security, friction reduction and new use cases and services – with the added benefits that it supports both online and offline connectivity interactions but also the combination of merchant-related attributes (those requested by the merchant to finalise the sale) and bank-related attributes (client and optionally payment means attributes) which can be separated after receipt by the merchant and forwarded to PSPs for payment processing purposes. In addition, payee-requested payments usually imply the payee presenting their own payment details which, when issued as [Q]eAA, offer instant VoP - verification of payee without the need for a separate verification process. Embedded SCA can be also performed at the request of other parties, not only the payee. For example, a PSU may use the services of a multi-bank platform that provides the user with the ability to operate in one place their accounts they hold with multiple different banks. In this context, the multi-bank platform is a service provider operating on behalf of the payer. This provider may itself be certified as an Account Information Service Provider (AISP) or a Payment Information Service Provider (PISP) or it relies on the services of a 3rd party AISP or PISP. The multi-bank platform may ask the user to perform SCA to provide their consent to access account information, it may ask the user to perform SCA on a payment initiation request, set up by the user within the platform. Also, depending on availability of Electronic Bank Account Management (EBAM) API’s, it may request the user perform SCA on an account opening request for example. In a corporate context, an Enterprise Resource Planning (ERP) platform may perform a similar role. Therefore, it may be more appropriate to rename “payee-requested-flow” to “3rd party requested flow”. We fail to understand how the distinction between ‘issuer-requested flows’ and ‘payee-requested flows’ is related to PSD2 or the more recent draft Payment Services Regulation (PSR) requirements. The discussion paper rightly mentions the 3 SCA use cases listed in article 97.1 of PSD2 but brings no justification to the view that for ‘payee-requested flows’, only the payment initiation SCA use case is permitted. We wonder where this is coming from as: On section 4.1 Process Control Answer to question 1: On section 4.2.1 Principle of Clarity and Unambiguity On Section 4.2.3 WYSIWYS principle In addition, it would be beneficial for the Secure Rendering Environment to produce a cryptographic attestation that evidences what was presented to the user (WYSIWYS) as well a (e.g. SHA-256) hash of the transactional data. This attestation would then be included in the data structure that is signed to produce the SCA proof. The attestation could also include the characteristics of the secure rendering environment, such as level of assurance, for example: On Section 4.3 Authentication fraud This is essential to ensure that an ASPSP does not release the payer’s funds having successfully verified the SCA/SUA proof created using a wallet unit that has previously been revoked. A wallet provider cannot remotely disable an offline wallet that remains capable of performing SCA/SUA offline in proximity use cases. Instead, the SCA/SUA proof itself must be invalidated e.g. via certificate revocation. It must be assumed that if a wallet holder can provide evidence that they have notified their wallet provider or PID issuer that their smartphone has been stolen, any transactions relying on SCA proof subsequently created using their (revoked) wallet unit must be deemed to be unauthorized. On Section 4.4 Fraud signals |
Beta Was this translation helpful? Give feedback.
-
|
Whilst we largely agree with the feedback of @sgmouy, we have provided our feedback by email yesterday. |
Beta Was this translation helpful? Give feedback.
-
|
Since the two LSPs that developed payment support came up with entirely different solutions, maybe the discussions should start with what architecture the EU should invest in? EMV-like solutions à la NOBID and 3DS solutions à la EWC have quite different UX, security, and privacy characteristics. I recently found out that the current idea is that each payment network (VISA, SEPA instant, etc.) is supposed to develop its own SCA solution as well as JSON Schema for the request. In a pretty advanced PoC of mine, I have universalized these elements, leading to a considerably simpler wallet. The PoC also supports receipts and account balances. Architecturally, the PoC is pretty close to NOBID. Everything is open and free from licenses: |
Beta Was this translation helpful? Give feedback.
-
|
Dear phin10, Many thanks for drafting this document. From our side - the Dutch Payments Association, we would like to point out that we disagree with the content in chapter 3 that assumes that strong user authentication (SUA) and strong customer authentication (SCA) are the same. SUA is in essence two-factor authentication (2FA), while SCA is much more than 2FA due to the requirements set in the RTS on SCA. As a result, SUA and SCA are not equal. As described in art. 5f(2), relying parties should accept the wallet in occassions where they perform strong user authentication for online identification. Translating art. 5f(2) to payments, we believe this entails that the EUDIW should be accepted to perform the 2FA part within SCA, but not as full means to perform SCA. We've extensively described our views in a paper: https://www.betaalvereniging.nl/en/actueel/nieuws/eu-digital-identity-wallet-assessment/. Kind regards, |
Beta Was this translation helpful? Give feedback.
-
|
Before going on technical discussions, I would highly recommend to review all ARF documents specifying use cases for SCA and in particular for payment, towards regulation compliancy (PSD2, RTS, eIDAS2, GDPR, TFEU ...).You will find herebelow a link towards personal comments for regulatory compliances for the folliwing 3 documents You will find my comments with **this shared updated link¨ to copy and paste (otherwise block) : https://share.mailo.com/?key=IzycsAKXnEvOddiddTvJtST29orSd0pqOlkLrASQzk9V3FHBJCdeyw%3D%3D I remain at the disposal of the EU commission, DG FISMA, the two LSPs APTITUDE and new Build, for explaining or detailing further my comments. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Description
Support of Electronic Payments Customer Authentication (SCA) with the Wallet needs to be discussed further. Intention is to draft and finalise the minimal needed high level technical requirements for the ARF.
Publication discussion paper
19 September 2025
Link to discussion paper
Link
Discussion close
Three weeks later.
Beta Was this translation helpful? Give feedback.
All reactions