fintech

Stay up-to-date with our legal insights

The key things to know about the elements of strong customer authentication under PSD2 (EBA opinion)

The revised Payment Services Directive (PSD2) was published in November 2015, entered into force on 13 January 2016 and applies since 13 January 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.

The European Banking Authority (EBA) had been mandated to support the Directive by developing regulatory technical standards (RTS) setting out the details on strong customer authentication and common and secure communication (RTS on SCA and CSC), including its exemptions, and to regulate the access to customer payment account data held in account servicing payment service providers.

Opinion

On Friday 21 June 2019 EBA published an Opinion on Strong Customer Authentication (SCA) under the Directive. The Opinion is the EBA’s response to key industry questions about which authentication factors comply with the requirements for SCA.

The Opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and states whether or not they are considered to be SCA compliant. The Opinion does so separately for each of the three SCA elements of knowledge, possession and inherence, and also provides clarifications regarding combinations of these elements.

SCA is defined in the Directive as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.” The Directive also provides that SCA is to be applied to all electronic payments unless one of the exemptions applies.

A non-exhaustive list of possible elements

1. Inherence

Element Compliant with SCA?*
Fingerprint scanning Yes
Voice recognition Yes
Vein recognition Yes
Hand and face geometry Yes
Retina and iris scanning Yes
Keystroke dynamics Yes
Heart rate or other body movement pattern identifying that the PSU is the PSU (e.g. for wearable devices) Yes
The angle at which the device is held Yes
Information transmitted using a communication protocol, such as EMV® 3-D Secure No (for approaches currently observed in the market)
Memorisedswiping path No

*Compliance with SCA requirements is dependent on the specific approach used in the implementation of the elements.

2. Possession

Element Compliant with SCA?*
Possession of a device evidenced by an OTP generated by, or received on, a device (hardware or software token generator, SMS OTP) Yes
Possession of a device evidenced by a signature generated by a device (hardware or software token) Yes
Card or device evidenced through a QR code (or photo TAN) scanned from an external device Yes
App or browser with possession evidenced by device binding — such as through a security chip embedded into a device or private key linking an app to a device, or the registration of the web browser linking a browser to a device Yes
Card evidenced by a card reader Yes
Card with possession evidenced by a dynamic card security code Yes
App installed on the device No
Card with possession evidenced by card details (printed on the card) No (for approaches currently observed in the market)
Card with possession evidenced by a printed element (such as an OTP list) No (for approaches currently observed in the market)

*Compliance with SCA requirements is dependent on the specific approaches used in the implementation of the elements.

3. Knowledge

Element Compliant with SCA?*
Password Yes
PIN Yes
Knowledge-based challenge questions Yes
Passphrase Yes
Memorized swiping path Yes
Email address or user name No
Card details (printed on the card) No
OTP generated by or received on, a device (hardware or software token generator, SMS OTP) No (for approaches currently observed in the market)
Printed matrix card or OTP list No

*Compliance with SCA requirements is dependent on the specific approach used in the implementation of the elements.

Other requirements

In addition to having (at least) two elements, each from a different category, the RTS include further requirements for PSPs in the context of SCA. This includes the requirement for any electronic transaction made remotely (e.g. in the context of e-commerce) to include dynamic linking as defined under Article 5 of the RTS and required under Article 97(2) of PSD2.

Another requirement under the RTS, in line with PSD2, is that the two elements used for SCA be independent. Independence under Article 9 of the RTS requires that the use of the elements “is subject to measures which ensure that, in terms of technology, algorithms and parameters, the breach of one of the elements does not compromise the reliability of the other elements”.

Further requirements include, for instance, requirements regarding the authentication code, requirements regarding the confidentiality and integrity of the personalized security credentials of the PSU during all phases of authentication and requirements for personalized security credentials to be masked and not readable in their full extent when input by the PSU.

Lithuania in this context

Article 58 of the Law of the Republic of Lithuania on Payments regulate obligation to apply strong customer authentication from 14 September 2019 but it is important to note that obligation to apply similar requirements is already being regulated in Resolution Nr. 03-172 of the Board of the Bank of Lithuania of 30 September 2014 on minimum security requirements relating to internet payments which is already applied.

Stay up-to-date with our legal insights

Other Insights