Integrating SPC with Open Banking about secure-payment-confirmation HOT 8 CLOSED

@janaka, thanks for checking in. We continue to have conversations with our open banking colleagues (e.g., Berlin Group) about integration of SPC. I don't have any pointers to concrete change requests at this time.

from secure-payment-confirmation.

Hi all, wondering what the latest status is on open banking integration? Issues #185 and #186 seem to be it? any other issues or places to follow progress?

Hello @janaka. I think the key to SPC adoption in open banking largely lays in the standards that implement FAPI - UK, CDR, Brazil, etc. - creating a profile that allows the Payment Assertion to be sent to the ASPSP under the covers of an OpenID Connect flow. In my head the flow looks like this:

• SPC Relying Party contacts ASPSP for challenge to seed SPC. This could be done during consent/grant management interaction that typically happens prior to authentication/authorisation.
• With challenge in-hand SPC can be invoked. Based on successful authorisation a Payment Assertion is minted.
• The Relying Party can then use - ideally - CIBA to send an Authorisation Request to the ASPSP, with the Payment Assertion used to set the value of login_hint. The ASPSPs can then validate the Payment Assertion using the public key they hold.

For many markets SPC therefore snuggles up nicely with existing protocols. However, adoption will require buy-in to Webauthn and then SPC as alternative to app-to-app or web-to-app authentication which is prevalent in all markets. The onus here is on ASPSPs to adopt, and given the high level of investment to date by ASPSPs for functionality that is largely for regulatory compliance in many markets cutting in a new authentication standard may be a stretch. My fingers are, however crossed given the recent fanfare around Passkeys and the how that might force things along.

from secure-payment-confirmation.

@cyberphone

The PISP concept (unlike AISP) does not presume that the User is known by the PISP making "Your PISP" a less useful term

Under PSD2 I don't believe this is true. The PISP is the regulated entity and the legal contract is between the PSU and PISP. It therefore not only presume, in relies absolutely on the PSU and PISP knowing each other.

from secure-payment-confirmation.

@SensibleWood This sounds a bit strange. A user has no way of selecting "Your PISP"; it is done by Merchant who have a commercial contract with the PISP. The user (PSU) is usually anonymous with respect to the PISP.

May I ask how and where the PISP would manifest itself in your proposal? Does it presume PISP login as well?

from secure-payment-confirmation.

@cyberphone in the paper I wrote there is no concept of "your PISP" so I find it strange you have read this from the paper.

I dispute what you say when you consider PSD2. The PSU will absolutely know - or be made aware of - who the PISP is as there are obligations the PISP has to fulfil. For example, look at the UK open banking customer experience guidelines: https://standards.openbanking.org.uk/customer-experience-guidelines/pis-core-journeys/single-domestic-payments-acc-selection-pisp/latest/ PISP splattered all over it.

As far as PSD2 is concerned there is no "putting the PISP in the same position as a payment gateway" as that is simply not possible in the construct of the regulations and, for that matter the implementation in most territories. I get the merits from the perspective of a ubiquitous, one-size-fits-all solution but that ain't going to cut it when it comes to working in regulated markets like the EU. SPC must make accommodations for these facts otherwise it is less likely to succeed as a proposal.

from secure-payment-confirmation.

@SensibleWood There is indeed no "Your PISP" in your paper but from what you write there must be something of that kind, and I'm curious to know how and where in an SPC context. In the sequence diagram you make Merchant=PISP which hides the rather awkward "Ménage à trois" I'm referring to.

FWIW, I was recently a member of an Ad-hoc WG "to make payments better" associated with the Berlin Group NextGenPSD2 effort. One the proposals which nobody objected to was based on existing EMV terminals and cards used in a PISP/GW scenario. I believe the resulting standard proposal (Signed Payment Request) is still under serious consideration.

I will perform some private research on this topic.

from secure-payment-confirmation.

Closing this for now. I anticipate we will open more specific issues once we work more closely on integration of SPC into particular open banking rails.

from secure-payment-confirmation.

Hi all, wondering what the latest status is on open banking integration? Issues #185 and #186 seem to be it? any other issues or places to follow progress?

from secure-payment-confirmation.