EBICS and mobile payments in France

In the “EBICS – a European standard for mobile payments” series, we will examine the situation in France.
A mobile solution allowing all users to sign for transactions remotely – in compliance with the EBICS TS protocol – would satisfy the requirements of the increasing number of “nomadic” signatories who are hoping that mobile banking with EBICS will soon finally become a reality.

This is on condition, however, that the solution is sufficiently flexible, meaning that it works on as wide a range of mobile phones and tablets as possible, regardless of their operating system (offering at least iOS, Android and Windows Mobile) and that it offers the same level of security as the EBICS TS signature software for PCs that is already used by thousands of signatories daily.

Mobile applications have certainly come of age courtesy of this or that editor, but they remain unsatisfactory and therefore little used since they don't possess the necessary flexibility or ease of use. Let us remember that, in order to conform to the specifications described by the CFONB in the implementation guide, each signature needs to have a personal signature certificate on a physical carrier delivered by a CA recognised by the bank. And that is what it is all about, because although it is possible to connect a USB token to certain tablets, it is still impossible to do so with all mobile devices, regardless of the brand. Or, if it is possible, it involves large and varying fees for adaptors and connections, may or may not work well and, worst of all, forces users to turn their device into a labyrinthine system, which dissuades even those with the best will in the world to use it regularly.
Furthermore, it seems neither reasonable nor opportune to oblige signatories to obtain an additional smartphone or tablet whose token connection is sufficiently convenient to be used whenever necessary.

One solution would be to replace the use of a physical carrier for storing the certificate with an ad hoc certificate for once-off use. But, apart from the fact that that would require the indispensable agreement of the CFONB, it would be necessary to re-register the certificate for a CA for each use, which would negate the flexibility of the system and thus its appeal.

This leaves the problem of the absence of standardisation for the distributed signature process, such as that enjoyed by our neighbours across the Rhine in the form of the Distributed Electronic Signature (VEU). Although it is regrettable, the fact that EBICS DS has not yet been realised does not mean that we cannot offer a coverage service that is functionally equivalent: one that allows travelling signatories to confirm orders before they are carried out. This management of signatory and signature book colleges is achieved by an upstream platform used by the company or by trusted providers and operators. Once the necessary number of signatures has been reached, only using the EBICS format (A005 or A006), the order and the retained signatures are forwarded to the server establishment via an EBICS file with a TS profile. It should be noted that this solution allows more comprehensive signature rights to be managed than those proposed by the EBICS (1+1 or 2) standard, which makes them potentially closer to users’ requirements.

Marc Dutech


Post a Comment