On 11/30/2014 11:12 AM, Federico Leva (Nemo) wrote:
Anyway, please inform the European Central Bank of your findings, I'm sure they'll be interested in hearing them. Currently their website seems unaware of such fraud possibilities and contains statements such as «Sensitive data payment: Data which could be used to carry out fraud, excluding the name of the account owner and the account number». https://www.ecb.europa.eu/pub/pdf/other/pubconsultationoutcome201405securitypaymentaccountaccessservicesen.pdf
I'm not sure why you would conclude they are unaware of a possible form for fraud just because they don't specifically identify it on their website. At any rate, I suspect you may be misunderstanding the definition of "sensitive payment data" (the actual term from the linked document, which was somehow transposed above).
To my reading, that looks like an attempt to create a precise technical definition for the purposes of the report, so that whenever the term was used it would always mean the same thing. I don't think it's claiming that the name of the account owner and the account number are not in the larger class of "data which could be used to carry out fraud". Rather, because these are nearly essential to transactions being possible at all, I believe the language is attempting to exclude them from the restrictions that the report recommends for all other data which meets the definition of "sensitive payment data".
--Michael Snow