Transcription
STET PSD2 API - VERSION 1.4Hervé Robache – October 2018 STET – Internal use - Any use or copy without STET authorisation are prohibited
API Timeline2018-01-29API EG Launch2017-02-23Final Draft RTS on SCARelease2018-06-13EBA opinionrelease2018-03-13Official RTS on SCARelease2018-06-182018-01-13ERPB WGPSD2 applicationFinal report2017-01-18ERPB WGLaunch2019-09-14RTS on SCA application2016-10-01 2017-01-01 2017-04-01 2017-07-01 2017-10-01 2018-01-01 2018-04-01 2018-07-01 2018-10-01 2019-01-01 2019-04-01 2019-07-01 2019-10-012016-07-012020-01-012016-09-06STET WG Launch 2016-12-31STET PSD2 API1.0 (internal)2017-07-13STET PSD2 API1.2 (public)2018-04-10STET PSD2 API1.3 (public)2018-09-14STET PSD2 API1.4 (public)2017-04-03STET PSD2 API1.1 (internal) STET – Any use or copy without STET authorisation are prohibited2
Key StandardsTHEMESTANDARDAccess NetworkInternetCOMMENTSHTTP 1.1Provides data encryption during transportationTransport ProtocolTLS 1.2Provides cross-authentication of the actorsMay be enforced by STS and/or TFSOAUTH2Authorisation Code Grant (AISP PIISP)MTLSClient Credentials (PISP)Applicative ProtocolRESTRichardson Maturity Model on level threeData FormatJSON/UTF8Transposition of ISO20022 structuresAuthorisation ProtocolTechnical DocumentationSWAGGER2.0 (AOS2)AOS3 format also available STET – Any use or copy without STET authorisation are prohibited3
PSD2 ActorsAccount InformationServices ProviderPayment InitiationServices ProviderPaymentRequesterPayment InstrumentIssuer Service ProviderAccount ServicingPayment ServiceProviderThird PartyProviderAPI actor STET – Any use or copy without STET authorisation are prohibitedPayment AccountOwnerPaymentService UserRegistration Authority4
PSD2 Actors: The Payment Service UserAccount InformationServices ProviderPayment InitiationServices ProviderPaymentRequesterPayment InstrumentIssuer Service ProviderAccount ServicingPayment ServiceProviderThird PartyProviderAPI actor STET – Any use or copy without STET authorisation are prohibitedPayment AccountOwnerPaymentService UserThe Payment Service User:Registration AuthorityAnatural or legal person makinguse of a payment service in thecapacity of payer, payee, or both.5
PSD2 Actors: The PSD2 API actorsAccount InformationServices ProviderPayment InitiationServices ProviderPaymentRequesterPayment InstrumentIssuer Service ProviderAccount ServicingPayment ServiceProviderThird PartyProviderAPI actor STET – Any use or copy without STET authorisation are prohibitedPayment AccountOwnerThe Payment Service Provider:- Credit Institutions- Electronic MoneyInstitutionsPaymentService User- Post Office GiroInstitutions- Payment Institutions- ECB and National CentralBanks- Member States orRegistration AuthorityRegional/Local Authorities6
PSD2 Actors: Account Servicing PaymentService ProvidersAccount InformationServices ProviderPayment InitiationServices ProviderPaymentRequesterPayment InstrumentIssuer Service ProviderAccount ServicingPayment ServiceProviderThird PartyProviderAPI actorPayment AccountOwnerPaymentService UserPayment ServiceProviders:Registration Authority- Credit Institutions- Post Office Giro InstitutionsPSD2 API services providers STET – Any use or copy without STET authorisation are prohibited7
PSD2 Actors: Account Information ServiceProvidersAccount InformationServices ProviderPayment InitiationServices ProviderPayment InstrumentIssuer Service ProviderPaymentRequesterAccount Information Services Providers (AISP)allow the Payment Account Owner to getinformation about all of his/her paymentaccounts:Account ServicingPayment Service- througha single interface,ProviderThird PartyProvider the bank holding those accounts.- whateverPayment AccountOwnerPaymentService UserPSD2 API services clientsAPI actor STET – Any use or copy without STET authorisation are prohibitedRegistration Authority8
PSD2 Actors: Payment Instrument IssuerService ProvidersAccount InformationServices ProviderPayment InitiationServices ProviderThird PartyProviderPaymentPayment InstrumentIssuer Service ProviderPayment Instrument Issuer ServiceProvidersRequester(PIISP) check the coverage of a given paymentamount by the available funds on a givenPSU’s account.Account ServicingPayment ServiceProviderPSD2 API services clientsAPI actor STET – Any use or copy without STET authorisation are prohibitedPayment AccountOwnerPaymentService UserRegistration Authority9
PSD2 Actors: Payment Initiation ServiceProvidersAccount InformationServices ProviderPayment InitiationServices ProviderPayment InstrumentIssuer Service ProviderPaymentPayment AccountPayment InitiationService Providers (PISP)OwnerRequesterrequest a Payment Request execution througha Credit Transfer (PISP role).PSD2 API services clientsAccount ServicingPayment ServiceProviderThird PartyProviderAPI actor STET – Any use or copy without STET authorisation are prohibitedPaymentService UserRegistration Authority10
PSD2 Actors vs W3C ModelPayment Handler ProvidersAccount InformationServices ProviderPayment InitiationServices ProviderUserPaymentRequesterPayment InstrumentIssuer Service ProviderPayment AccountOwnerBrowserMerchantDesktop/MobilePayment HandlersAccount ServicingPayment ServiceProviderThird PartyProviderPaymentService UserBanksAPI actor STET – Any use or copy without STET authorisation are prohibitedRegistration Authority11
AISP Use CasesAISPGets the PSUcontext Includes Gets trustedbeneficiariesGets account dataGets accountbalancesSend PSU consentGets accounttransactionsGets accounttransactionhistory STET – Any use or copy without STET authorisation are prohibitedGets accounttransactionforecast12
PIISP Use CasePIISPChecks fundscoverage STET – Any use or copy without STET authorisation are prohibited13
PISP Purchase Use CasesMerchant(Payment Requester)Asks for a transferPSU’s Bank(ASPSP)PISPSends a paymentrequest Extends Extends Extends Initiates the CreditTransfer Extends Confirms therequest Extends Get the paymentrequest status Extends Forwards thepayment requeststatusAsks for PSUauthentication Extends Asks for acancellation Extends Extends Sends acancellationrequest Extends Cancels ascheduledtransferOrdering Party(Payment Account Owner) STET – Any use or copy without STET authorisation are prohibited14
PISP Transfer Use CasesOrdering Party(PSU)Asks for a transfer Extends PSU’s Bank(ASPSP)PISPSends a transferrequest Extends Get the transferstatus Extends Extends Confirms thetransfer request STET – Any use or copy without STET authorisation are prohibitedInitiates the CreditTransfer Extends Asks for SCA15
PISP Purchase Use Case STET – Any use or copy without STET authorisation are prohibited16
PISP Purchase Use Case in a W3C approach(initial setup)Payee’s Bank(ASPSP)PayeePayment Handler Provider(Payment Requester)(PISP or other actor)Payment HandlerUser AgentConsumer/PayerPSUPayer’s Bank(ASPSP)Suggest Payment Handler InstallationAcceptDownload Payment HandlerInitiate Payment Handler InstallationPayment Handler InstallsSuggest Payment Handler Setup STET – Any use or copy without STET authorisation are prohibited17
PSD2 decoupled from Payment Request APIPayee’s Bank(ASPSP)Payee(Payment Requester)Payment InitiationService Provider(PISP)Payment HandlerUser AgentProvide Checkout PageClick Buy ButtonCall Payment Request API (List of acceptable payment handlers)Consumer/PayerPSUPayer’s Bank(ASPSP)Compute the list of usable payment handlersAsk for payment handler choiceSelect payment handlerCall payment handler APIPresent user experienceChoose payment methodSend payment dataReturns to the payment handlerPayment handler API returnsPayment Request API returnsSend the payment request to the Bank (PSD2 API)Process initial checksAsk for consumer authenticationAuthenticateForward the payment report (PSD2 API)NotifySend the Credit TransferNotify the Credit STET – Any use or copy without STET authorisation are prohibited18
PSD2 During Payment Request APIPayee’s Bank(ASPSP)Payee(Payment Requester)Payment InitiationService Provider(PISP)Payment HandlerUser AgentProvide Checkout PageClick Buy ButtonCall Payment Request API (List of acceptable payment handlers)Consumer/PayerPSUPayer’s Bank(ASPSP)Compute the list of usable payment handlersAsk for payment handler choiceSelect payment handlerCall payment handler APIPresent user experienceChoose payment methodSend payment dataSend the payment request to the Bank (PSD2 API)Process initial checksAsk for consumer authenticationDisplay authentication request to the UserAuthenticateForward the payment report (PSD2 API)Forward the Payment Report to the PISPNotifyReturns to the payment handlerPayment handler API returnsPayment Request API returnsSend the Credit TransferNotify the Credit STET – Any use or copy without STET authorisation are prohibited19
PSD2 API and ISO20022 STET already experienced ISO20022 through– SEPA payments implementation (from 2008)– Account Management messages (2009)– SEPAmail messages (2011) So using ISO20022 was a strategic choice. It was also a recommendationfrom the RTS on SCA.– V1.0, V1.1 and V1.2 used‒ ISO20022 data structures for AIS and PIISP‒ a whole copy/paste of some messages for PIS ISO20022 Modelling of STET API work started in Fall 2017– Reflexions about API resources and automatic documentation– V1.3 and V1.4 provide a smarter use of ISO20022 building blocks– Berlin Group joined in June 2018 ISO TC68/SC9/WG2 started to work on general usage of ISO20022 inSpring 2018 STET – Any use or copy without STET authorisation are prohibited20
Identification and Authentication (1/4) STET – Any use or copy without STET authorisation are prohibited21
Identification and Authentication (2/4) STET – Any use or copy without STET authorisation are prohibited22
Identification and Authentication (3/4) STET – Any use or copy without STET authorisation are prohibited23
Identification and Authentication (4/4) STET – Any use or copy without STET authorisation are prohibited24
THANK YOU! STET – Any use or copy without STET authorisation are prohibited25
a Credit Transfer (PISP role). PSD2 API services clients STET - Any use or copy without STET authorisation are prohibited PSD2 Actors vs W3C Model 11 . Initiates the Credit Transfer Asks for PSU authentication Confirms the request Asks for a transfer Get the payment request status Extends Extends Extends
