PSS - Add a X-PSU-Auth-Level header to POST /payments

swissfintechinnovations / ca-payment

Common APIs for AIS and PIS

https://www.common-api.ch

Apache License 2.0

0 stars 3 forks source link

PSS - Add a X-PSU-Auth-Level header to POST /payments #52

Open chatelao opened 1 year ago

chatelao commented 1 year ago

The SP (Bank) has no knowledge about the security level of the TPP-User
It would be helpful for fraud detection, to asses the End-2-End login risks.

SHOULD

It should be optionally possibly to transmit the quality of the PSU-Login
X-PSU-Auth-Level (Values: 1FA, 2FA) - More values may be discussed.

rudiriegel commented 11 months ago

In the bLink implementation each API is connected to a security level. PSS for example is security level high. And in each security level there are a minimum set of admission criteria to be fulfilled by the TPP in order to onboard to bLink. Those admission criteria can be found in the Annex 1 of the contract. On bLink, the SP (bank) can rely on the security level of the API. If you do so, all PSS calls should be treated in the same way in fraud detection. Please note: in PSS the user still has to login in the e-banking and release the payments submitted.

juergen-petry commented 11 months ago

Feedback on behalf of UBS: We have a neutral view: not against, nor in favor of it, but at this stage wouldn’t support this proposal because we’re unsure the potential added value would justify the effort. For us, pursuing this addition would require involving various UBS security and authentication stakeholders just to examine potential implications. It could be sensible if there’s a consensus on the need for it, which doesn’t seem to be the case.

svenbiellmann commented 9 months ago

Will be put on hold until the PIS issue is addressed.