Glossary

Low on payment services and payment systems which complies with PSD2. This law entered into force on 20 April 2022 and is applied from 1 January 2023.

This Decision is for establishing the requirements for strong customer authentication and common, secure, and open standards for communication, that is under the Law of payment services and payment systems that was adopted by National Bank Council in December 2022.

Payment Service User - The user providing consent to a TPP (Third Party Payment Service Providers) to access its accounts. The PSU can be a private or legal person.

Third Party Payment Service Provider - Executes services defined on behalf of a customer (PSU). TPP may access account(s) of the PSU managed by banks (ASPSP) via the API interface.

Payment Initiation Service Provider - service providers are authorized to initiate a payment on behalf of the customer (PSU) if they have given such consent. PISPs are responsible for the transaction flow starting from the moment a customer inputs the any payment instrument details to the moment the funds appear in the merchant's bank account.

Account Information Service Provider - service providers are authorized to view the customer’s payment account information, if such consent is given by the customer (PSU). Mostly AISPs provides an aggregated view of the accounts a customer maintains with numerous banks along with their transaction details. The AISPs can also provide the facility to analyze the PSU spending patterns, expenses, and financial needs.

An ASPSP (Account Servicing Payment Service Provider) is any financial institution that offers a payment account with online access. Mostly these are banks and other financial institutions. The ASPSPs are obligated by PSD2 to grant access to the account and transaction data on their customers payment accounts to TPPs through APIs.

Payment Instrument Issuing Service Provider – TPP accessing the API interface of an Bank (ASPSP) while executing a fund confirmation service.

Regulation Technical standards is adopted by the European Commission in November 2017 outlines the specific requirements to ensure strong customer authentication and other security measures which need to be in place for such transactions. The document outlines protocols that must be implemented to protect the security and confidentiality of customer information and to ensure secure and open communication all throughout the payment process. Decision on SCA contains the same requirements as RTS.

Strong Customer Authentication as defined by EBA Regulatory Technical Standards is an authentication based on the use of two or more elements categorized as knowledge (something only the user knows [for example, a password]), possession (something only the user possesses [for example, a particular cell phone and number]) and inherence (something the user is [or has, for example, a finger print or iris pattern]) that are independent, [so] the breach of one does not compromise the others, and is designed in such a way as to protect the confidentiality of the authentication data.

Consent is a main part of PSD2 regulation and working with third party providers. The only way TPPs can act on behalf of the PSU is if the customer has given explicit consent to have such permissions. In other words, no consent means no authorization.

OAuth 2.0 is the industry-standard protocol for authorization. OAuth 2.0 supersedes the work done on the original OAuth protocol created in 2006. OAuth 2.0 focuses on client developer simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and IOT devices. It enables third-party applications to obtain limited access to a web service.