[Openid-specs-fapi] Industry Std: EMV+SEPA Inst+Open Banking
anders.rundgren.net at gmail.com
Wed Apr 22 12:27:13 UTC 2020
On 2020-04-22 12:43, Joseph Heenan wrote:
> Hi Anders,
> It actually looks to be exactly what we’ve explained to you a few times - it’s identical to the VRP (variable repeat payment) model, i.e. using OAuth2 for “enrolment”, and [as PSD2 law stands today] it requires a contractual arrangement with the bank.
In my take on the matter the issuing bank would be the only legitimate user of the Open Banking API (when accessed in the alternate mode). In the consortia scheme "Card processing" would happen on the same (Gateway) layer and rely on the same legal framework as current direct-debit card transactions.
> The new part introduced ('identity_token’) is unclear,
This is quite possible which is why I have hoped on other people looking into this.
> and probably could do with a different name to avoid any confusion with OIDC’s id_token.
I'm open to suggestions :)
>> On 22 Apr 2020, at 07:06, Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net> wrote:
>> Dear list;
>> I have off-list received a presentation of a proposed multi-party effort to make SEPA instant payments usable at the PoS and on-line, based on the existing EMV standard and an enhanced Open Banking API. From what I can deduct, this proposal is not building on the OAuth2 security model. In fact, it is almost a carbon copy of what I have been pestering you about for a while. Some ideas seem to hit many brains at approximately the same time :)
>> However, creating a specific EMV/SEPA solution for Open Banking is probably not necessary; a dual-mode Open Banking API should suffice (I obviously need to verify this...).
>> The alternative to Open Banking is entirely new plumbing which seems like a waste since a dual mode should affect less than 5% of the code base of a well-designed Open Banking implementation. In the end it is of course a question for the banks.
>> Openid-specs-fapi mailing list
>> Openid-specs-fapi at lists.openid.net
More information about the Openid-specs-fapi