PSS - Add a X-PSU-Auth-Level header to POST /payments

[chatelao]

IS

• The SP (Bank) has no knowledge about the security level of the TPP-User
• It would be helpful for fraud detection, to asses the End-2-End login risks.

SHOULD

• It should be optionally possibly to transmit the quality of the PSU-Login
• X-PSU-Auth-Level (Values: 1FA, 2FA) - More values may be discussed.

[rudiriegel]

In the bLink implementation each API is connected to a security level. PSS for example is security level high. And in each security level there are a minimum set of admission criteria to be fulfilled by the TPP in order to onboard to bLink. Those admission criteria can be found in the Annex 1 of the contract. On bLink, the SP (bank) can rely on the security level of the API. If you do so, all PSS calls should be treated in the same way in fraud detection. Please note: in PSS the user still has to login in the e-banking and release the payments submitted.

[juergen-petry]

Feedback on behalf of UBS: We have a neutral view: not against, nor in favor of it, but at this stage wouldn’t support this proposal because we’re unsure the potential added value would justify the effort.
For us, pursuing this addition would require involving various UBS security and authentication stakeholders just to examine potential implications. It could be sensible if there’s a consensus on the need for it, which doesn’t seem to be the case.

[svenbiellmann]

Will be put on hold until the PIS issue is addressed.