Paying with EU Digital Identity Wallet could look like this. Our new technical discussion paper with lots of facts is linked in the comments (+ many more sequence diagrams as a Christmas present for my law peers). If you are wondering why we worry about this, check Recitals 28, 31 eIDAS2, 111 PSR, Explanatory memorandum page 5 of digital euro proposal. Happy to discuss! #eidas2 #digitaleuro #digitalidentity #IDWallet #EUDIW Oliver Lauer Nina Groß Florian Andreae Ronny Khan Frank Weigand Tim Kremer Mirka Lehrer
Also check out the discussion on the paper here: https://www.linkedin.com/feed/update/urn:li:activity:7142395829683699713/
Please help me... what do I miss? Recital 31 states nothing else than "Secure electronic identification and the provision of attestation of attributes should offer additional flexibility and solutions ... to support the fulfilment of strong customer authentication requirements for account login and initiation of transactions in the field of payment services." To me this would only mean that the "ID" wallet, as a generic tool, adds value to a specific process that is payment authorisation. And I'm sure it will offer tremendous value, just as it will to other processes. But it doesn't mean that every "ID" wallet should be offering payment screens. Just as they won't be obliged to offer any other specific authorisation flow for energy, health or any of the other mandatory sectors.
surely a much better idea is... Present ID to merchant. Merchant sends request-to-pay (including the invoice) to the ID. Customer sees request-to-pay and authorises it. Errrr... that's it. That way the merchant doesn't have to handle the customer's chosen payment instrument at all, they just get a confirmation from their bank that the money has been paid, there's no need for them to know how it was paid.
Christian Lange-Hausstein Apple Pay does not use this flow and I don't think EPI will either.
Christian Lange-Hausstein in the New Year I'd love to show you our work on payments for verifying Credential Status. It could layer in here very nicely!
Thanks for sharing! I wonder if the ASPSP is able to match the PID with the customer data the ASPSP is holding. And is it proportional to share the whole set of PID?
If this is the setup, can you please elaborate a bit on the liability the issuer of the wallet will assume towards the ASPSP for mistakes in displaying payment details and dynamic linking and/or Payee fraud? I see this as the hurdle that cannot be overcome.
I'm not trying to be pedantic, but where is "Identity" in this flow? In other words, where does proof of identity actually occur? Or is the assumption that the devices, on which the wallet presides, provide that service?
Payment should always be cash payment - not assuming a cheque (signed transfer request). Banks and governments have no business knowing what citizens do with whom. Adding contextual security such as age credentials, AML or contractual accountability are secondary issues. If the citizen do not have cash, she can get the money in-process with data minimized means. One or more of the later steps may require identity and credential verification according to the assurance level required.
Syndikus für Digitalisierung
1yPaper: https://www.digitallabor.berlin/draft-SCA4EUDIW.html