The revised Payment Services Directive (PSD2) was published in November 2015, entered into force on 13 January 2016 and applies since 13 January 2018. The Directive brings fundamental changes to the payments market in the EU, in particular by requiring SCA to be applied by payment services providers (PSPs) when carrying out remote electronic transactions.
The European Banking Authority (EBA) had been mandated to support the Directive by developing regulatory technical standards (RTS) setting out the details on strong customer authentication and common and secure communication (RTS on SCA and CSC), including its exemptions, and to regulate the access to customer payment account data held in account servicing payment service providers.
Opinion
On Friday 21 June 2019 EBA published an Opinion on Strong Customer Authentication (SCA) under the Directive. The Opinion is the EBA’s response to key industry questions about which authentication factors comply with the requirements for SCA.
The Opinion provides a non-exhaustive list of the authentication approaches currently observed in the market and states whether or not they are considered to be SCA compliant. The Opinion does so separately for each of the three SCA elements of knowledge, possession and inherence, and also provides clarifications regarding combinations of these elements.
SCA is defined in the Directive as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.” The Directive also provides that SCA is to be applied to all electronic payments unless one of the exemptions applies.
A non-exhaustive list of possible elements
1. Inherence
Element |
Compliant with SCA?* |
Fingerprint scanning |
Yes |
Voice recognition |
Yes |
Vein recognition |
Yes |
Hand and face geometry |
Yes |
Retina and iris scanning |
Yes |
Keystroke dynamics |
Yes |
Heart rate or other body movement pattern identifying that the PSU is the PSU (e.g. for wearable devices) |
Yes |
The angle at which the device is held |
Yes |
Information transmitted using a communication protocol, such as EMV® 3-D Secure |
No (for approaches currently observed in the market) |
Memorisedswiping path |
No |
*Compliance with SCA requirements is dependent on the specific approach used in the implementation of the elements.
2. Possession
Element |
Compliant with SCA?* |
Possession of a device evidenced by an OTP generated by, or received on, a device (hardware or software token generator, SMS OTP) |
Yes |
Possession of a device evidenced by a signature generated by a device (hardware or software token) |
Yes |
Card or device evidenced through a QR code (or photo TAN) scanned from an external device |
Yes |
App or browser with possession evidenced by device binding — such as through a security chip embedded into a device or private key linking an app to a device, or the registration of the web browser linking a browser to a device |
Yes |
Card evidenced by a card reader |
Yes |
Card with possession evidenced by a dynamic card security code |
Yes |
App installed on the device |
No |
Card with possession evidenced by card details (printed on the card) |
No (for approaches currently observed in the market) |
Card with possession evidenced by a printed element (such as an OTP list) |
No (for approaches currently observed in the market) |
*Compliance with SCA requirements is dependent on the specific approaches used in the implementation of the elements.
3. Knowledge
Element |
Compliant with SCA?* |
Password |
Yes |
PIN |
Yes |
Knowledge-based challenge questions |
Yes |
Passphrase |
Yes |
Memorized swiping path |
Yes |
Email address or user name |
No |
Card details (printed on the card) |
No |
OTP generated by or received on, a device (hardware or software token generator, SMS OTP) |
No (for approaches currently observed in the market) |
Printed matrix card or OTP list |
No |
*Compliance with SCA requirements is dependent on the specific approach used in the implementation of the elements.
Other requirements
In addition to having (at least) two elements, each from a different category, the RTS include further requirements for PSPs in the context of SCA. This includes the requirement for any electronic transaction made remotely (e.g. in the context of e-commerce) to include dynamic linking as defined under Article 5 of the RTS and required under Article 97(2) of PSD2.
Another requirement under the RTS, in line with PSD2, is that the two elements used for SCA be independent. Independence under Article 9 of the RTS requires that the use of the elements “is subject to measures which ensure that, in terms of technology, algorithms and parameters, the breach of one of the elements does not compromise the reliability of the other elements”.
Further requirements include, for instance, requirements regarding the authentication code, requirements regarding the confidentiality and integrity of the personalized security credentials of the PSU during all phases of authentication and requirements for personalized security credentials to be masked and not readable in their full extent when input by the PSU.
Lithuania in this context
Article 58 of the Law of the Republic of Lithuania on Payments regulate obligation to apply strong customer authentication from 14 September 2019 but it is important to note that obligation to apply similar requirements is already being regulated in Resolution Nr. 03-172 of the Board of the Bank of Lithuania of 30 September 2014 on minimum security requirements relating to internet payments which is already applied.