[Openid-specs-fapi] Final Euro Retail Payments Board (ERPB) Report

Nat Sakimura nat at sakimura.org
Thu Jun 1 01:30:45 UTC 2017


Thanks, Dave. 

Just wanted to mention that "Embedded" is an MITM and inherently bad. We
have actually sent a comment to them pointing out of the fact. 


Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation

On 2017-06-01 00:04, Dave Tonge via Openid-specs-fapi wrote: 

> Dear list members, 
> Please see the attached ERPB Report on Payment Initiation Services. As discussed in both the FAPI and MODRNA working groups, the report defines 3 approaches to the application of "strong customer authentication": 
>> EMBEDDED: the personal security credentials of the payment service user (PSU) (e.g. user ID, One Time Password (OTP)) will be transmitted to the ASPSP by the TPP.
>> REDIRECTION: the PSU is redirected to the ASPSP's website for the sole purpose of its authentication, and is then redirected back to the PISP's website.
>> DECOUPLED: SCA takes place via a dedicated device and/or app.
> The current FAPI spec supports the "redirection" approach and we are exploring using the MODRNA CIBA spec to support the "decoupled" approach. 
> Please let me know if you have any questions about this report. 
> Thanks 
> Dave 
> -- 
> Dave Tonge 
> CTO 
> [2] 
> 10 Temple Back, Bristol, BS1 6FL t: +44 (0)117 280 5120 
> Moneyhub Enterprise is a trading style of Momentum Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Momentum Financial Technology is entered on the Financial Services Register (FRN 561538) at fca.org.uk/register [3]. Momentum Financial Technology is registered in England & Wales, company registration number 06909772 (c) . Momentum Financial Technology Limited 2016. DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or 
 in any
attachments) are those of the author and do not necessarily represent the opinions of Momentum Financial Technology Limited or of any other group company. 
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi [1]

[1] http://lists.openid.net/mailman/listinfo/openid-specs-fapi
[3] http://fca.org.uk/register
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170601/9c2fdab7/attachment.html>

More information about the Openid-specs-fapi mailing list