IAPP CIPT – GDPR and Payment Services Directive (PSD2) Part 4
12. Authentication Step
Hi guys. In this lesson we’ll discuss about the authentication step. The research has highlighted some suggestions to make this step more customer friendly. The presence of the ASPs branding and logo at this step is critical to engineering customer confidence and trust in the entire process. The more distinctive the authentication step when compared to the TPP’s online mobile experience, the better. The more consistent this ASPSP experience is to the online mobile banking experience of the ASPSP, the more familiar it seems to the customer. Therefore, the greater the sense of security and trust it engenders. Customers would welcome an authentication step which could be shortened without compromise, optimizing safety and security of the process. Example touch ID assurance was needed that no information being shared by the customer during this step is being made available to or is visible to the TPP.
13. Authorisation Step
Hi, guys. In this lesson, we’ll discuss about the authorization step. It should be made clear at the point of requesting authorization how it may be revoked. The use of standardized data clusters during the Authorization request AIDS clarity, trust and familiarity. The customer should not be able to deselect any of the data clusters presented as part of the Authorization request. However, they should be able to accept or reject the Authorization request in its entirety.
The research has shown that an ability to view up to date account balance information and being able to choose an account to pay with based on that information is of benefit and of importance to the customer. However, it’s also suggested that customers might also require some reassurance that their balances are not available or visible to the TPP. This could be achieved by including following text the information is not visible to TPP name. It is also recommended that the Authorization requested explicitly mentions that the payment is a single payment and it will be submitted by the ASPSP for execution.
After Authorization, the experience of the constant step on the various TPP’s websites or apps may vary. Therefore, for most online customer journeys, the authorization step will be the standardizing factor and will bring clarity to what customers are agreeing to. It is therefore important that the information displayed and the language used is standardized across ASPs, including the use of data clusters.
Again, it is revealed that consumer segments such as techno fields, financial progressives, and early adopters prefer a hybrid model where the authentication and authorization steps are combined. This was viewed as a good compromise between a customer understanding their actions and the simplicity or speed of the process. Although these segments represent a large minimum, estimated to be around 20%, the majority of the open banking addressable market showed a clear preference for a separate authorization step.
14. Redirection
Hi guys. In this lesson, we’ll discuss about the Redirection at lunch. The Open Banking Consent authentication and authorization steps. Follow the redirection model. This is where the customer is redirected from the TPP’s domain to the ASPSP domain for authentication and authorization. Redirection screens will be presented between the Consent and the authentication steps and then after the Authorization step, when the customer is redirected, back to the TPP’s domain. It was demonstrated that the redirection screens are a useful part of the process.
Providing customer Trust The following reasons are noted they help customers navigate their online journey and inform them of what is going to happen next. They help create a clear sense of separation between the TPP’s domain and the ASPSP’s domain. Also, a messaging on the redirection screen serves to reassure the customer that they are in control and helps engender trust. For example, customers will be more willing to trust the process if they feel there is a partner, either TPP or ASPSP, on their side. That is known and reputable in this sense, use of words that indicate that the customer is in control and taking the lead are key as. These are indications that the TPP or the ASPSP is working with or for the customer.
15. Data Minimisation & Permissions
Hi, guys. In this lesson, we’ll discuss about data minimization and permissions. TPPs need to follow a data minimization approach whereby they only request access to the PSU data that they need to deliver the specific service that they are offering. In the Open Banking API design, data elements are logically grouped together into permissions. As you see in the following table. It is at this level that TPPs will request data access. If they request access to a specific permission, they will have access to all the data elements in the permission. This provides a pragmatic approach, allowing TPPs to be selective, but at the same time creating a consent process that is at an acceptable level of granularity for the PSU.
The structuring of data elements into permissions is a core part of the read write API design and influences how participants should approach the implementation of the consent model. As part of a constant step, the TPP will have to describe the data that they are requesting access to. As part of the authorization step, the ASPSP will have to play back the data that the PSU has consented to provide access to. It is critical that the language used by both parties to describe the data is consistent so that the PSU can be sure that they are authorizing the ASPSP to provide the access to the TPP that they consented to.
The Dspsp will have no sight of the language used by the TPP. In the consent step, the ASPSP will only know which permissions have been included in the access request from the contents of the message delivered by the API. Participants are under no obligation to implement this language, but it has been recognized that failing to do so could lead to customer confusion and potentially reduce take up.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »