Authentication Methods

ASPSP applies an available exemption

This version is:

Published 5 years ago 20 Dec 2019
User Journey   Where all information for a complete payment order (including the PSUs’ account…

Other pages in this section

User Journey

 

Where all information for a complete payment order (including the PSUs’ account details) is passed from PISPs to ASPSPs, once PSUs have been authenticated, PSUs must be directed back to the PISP domain without any further steps taking place. This excludes the cases where supplementary information is required to be provided to PSUs as described in section Single Domestic Payments – Supplementary info).

When the ASPSP determines that an available exemption is applicable to the payment order submitted via the PISP, they may choose not to apply SCA. The SCA and the application of exemptions is solely within the domain of the ASPSP.

 

Wireframes

To demonstrate an app based redirection part of the journey we have used one variation of PIS journey (Single Domestic Payments – a/c selection @ PISP) as an example, where the ASPSP receives all the details of the payment order from the PISP.

This redirection flow applies to other variations of PIS journeys covered in detail under section Payment Initiation Services (PIS).

This content is best viewed on a desktop browser.

1

CEG Checklist Requirements 1
PISPs must allow the PSU to either enter the account details or select the account with their ASPSP

2

CEG Checklist Requirements 2
PISPs must communicate information clearly to the PSU when obtaining consent in order to initiate the payment order

4

CEG Checklist Requirements 4
If the PSU has an ASPSP app installed on the same device the redirection must invoke the ASPSP app for authentication purposes only without introducing any additional screens and offer the same authentication method(s) available to the PSU when authenticating in their ASPSP’s direct channels.

5

CEG Checklist Requirements 5
ASPSPs must display as minimum the Payment Amount, Currency and the Payee Account Name on to make the PSU aware of these details (unless an SCA exemption is being applied). These details must be displayed as part of the authentication journey on at least one of the following screens without introducing additional confirmation screens (unless supplementary information is required, refer to section Single Domestic Payments – Supplementary info): 1. Authentication screen; 2. ASPSP to PISP outbound redirection screen.

6

CEG Checklist Requirements 5
ASPSPs must display as minimum the Payment Amount, Currency and the Payee Account Name on to make the PSU aware of these details (unless an SCA exemption is being applied). These details must be displayed as part of the authentication journey on at least one of the following screens without introducing additional confirmation screens (unless supplementary information is required, refer to section Single Domestic Payments – Supplementary info): 1. Authentication screen; 2. ASPSP to PISP outbound redirection screen.

7

CEG Checklist Requirements 6
ASPSPs app based authentication must have no more than the number of steps that the PSU would experience when directly accessing the ASPSP mobile app (biometric, passcode, credentials).

11

CEG Checklist Requirements 10
PSU must be redirected straight back to the PISP website/app on the same device where PISP displays confirmation of successful initiation.

These details must be displayed as part of the authentication journey on at least one of the following screens without introducing additional confirmation screens (unless supplementary information is required, refer to section Single Domestic Payments – Supplementary info).

    CEG Checklist Requirements & Customer Experience Considerations

    1

    AISPs must initially ask the PSU to identify the ASPSP so that the consent request can be constructed in line with the ASPSP’s data clusters.

    24

    2

    PISPs must communicate information clearly to the PSU when obtaining consent in order to initiate the payment order.

    8

    PISPs should provide messaging on their inbound redirection screen to inform PSU that they will be taken to their ASPSP to authenticate to complete the payment.

    PISP should display in the Redirection screen the Payment Amount, Currency and the Payee Account Name to make the PSU aware of these details.

    4

    If the PSU has an ASPSP app installed on the same device the redirection must invoke the ASPSP app for authentication purposes only without introducing any additional screens and offer the same authentication method(s) available to the PSU when authenticating in their ASPSP’s direct channels.

    5a

    5

    ASPSPs must display as minimum the Payment Amount, Currency and the Payee Account Name on to make the PSU aware of these details (unless an SCA exemption is being applied).

    These details must be displayed as part of the authentication journey on at least one of the following screens without introducing additional confirmation screens (unless supplementary information is required, refer to section Single Domestic Payments – Supplementary info):

    1. Authentication screen;
    2. ASPSP to PISP outbound redirection screen.

    28

    6

    ASPSPs app based authentication must have no more than the number of steps that the PSU would experience when directly accessing the ASPSP mobile app (biometric, passcode, credentials).

    1

    The ASPSP may to apply an available SCA exemption.

    ASPSPs should have outbound redirection  screen which indicates the status of the request and informs the PSU that they will be automatically taken back to the PISP.

    ASPSPs should inform the PSU on the outbound redirection screen that their session with the ASPSP is closed.

    10

    PSU must be redirected straight back to the PISP website/app on the same device where PISP displays confirmation of successful initiation.

    26

    What the research says

     

    Click for customer research