A dedicated (single purpose) app, issued by banks (ASPSP's) to their customers (PSU's) to perform Strong Customer Authentication (SCA). Both Decoupled and App-to-app Redirection SCA are supported, using common PSU credentials.
Multiple bank channels are supported, including PSD2 and bilateral API's, 'host-to-host’ and SWIFT FileAct protocols.
As well as meeting retail banking requirements, more complex corporate banking requirements are supported, including multi-user approval of individual and bulk payments.
The app fully supports the following ISO 20022 payment formats:-
- PAIN.001 v3 - Credit Transfer
- PAIN.008 v2 - Direct Debit
- PAIN.002 v3 - Payment Status
- ACMT.007 v1 - Account Opening
- PAIN.009 v1 - E-Mandate
The approver is initially presented with summary information and can drill down into the full payment content as required. This is essential as approval will effect the transfer of liability. Payment status, including reason information, is reported at file, batch and transaction level. Status is also presented/filtered in coloured 'traffic light' categories.
The app connects to banks via EBICS, which offers the highest levels of security. This allows a bank to integrate the solution with its payments processes, using existing EBICS enabled products from mainstream software vendors. The EBICS Server is responsible for managing user identities, entitlements and key/certificate exchange. The server only presents the user with a banking order for approval if they have the corresponding permissions. Where multiple user approvals are required, the EBICS server will not release a banking order for onward processing until the necessary number of approvals have been captured. When a banking order enters the ‘decoupled’ approval procedure, a ‘push notification’ is sent to the user’s device. This triggers the app to download the latest list of orders that are awaiting user approval.
SCA capture involves the creation of a cryptographic digital signature, using an asymmetric (public/private) key pair. The private key element resides within the ‘trusted hardware zone’ of a multi-purpose device (i.e. smartphone/tablet). All SCA cryptographic functions using the private key, are performed from within the hardware zone. The private key is created inside and can never leave the trust zone. The private key (constituting ‘possession’) is unlocked via the use of either the device’s biometric sensor (e.g. fingerprint / facial recognition, constituting ‘inheritance’) and/or via a PIN (constituting ‘knowledge’).
The public key element together with personal identification details of the user are included within an X.509 certificate, issued to the user by the bank. The bank can centrally revoke this certificate at any time. The SCA proof includes the electronic signature, together with a copy of the user’s X.509 certificate as well as a copy of the data that was signed.
In addition to the EBICS standard, the solution provides the option to package the SCA proof into an ‘Associated Signature Container’ (ASiC-E), containing Advanced Electronic Signatures (AdES). This is recommended by the EU eIDAS regulation. Using an ASiC structure, the SCA proof is more easily portable and verifiable using third party tools, as required by GDPR. The AdES standard includes Timestamp and Commitment Type elements (to specify, e.g. #proofOfCreation, #proofOfApproval, #proofOfRevocation, or #proofOfCancellationRequest). Together, these make the SCA proof unique, unambiguous and demonstrable (i.e. verifiable), as required by PSD2 and GDPR.
EBICS = Electronic Banking Internet Communication Standard http://www.ebics.org/
PSD2 = DIRECTIVE (EU) 2015/2366 on payment services in the internal market
GDPR = REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data
eIDAS = REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market.