On 21 June 2019, the European Banking Authority (EBA) published an opinion on the elements of strong customer authentication (SCA) under the second Payment Services Directive 2015/2366 (PSD2). The opinion addressed some concerns about the ability of certain actors in the payments chain to ensure compliance with SCA rules in time for the 14 September 2019 start date. The EBA also took the opportunity to provide a non-exhaustive list of the authentication approaches currently being observed in the market and whether these would be considered SCA compliant.
SCA is defined under PSD2 as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and are designed in such a way as to protect the confidentiality of the authentication data.”
While the EBA reiterated its opinion that sufficient time has been available to the industry to facilitate compliance with SCA requirements from 14 September 2019, it acknowledged the complexity and logistical challenges inherent in the implementation of those requirements, particularly for non-payment service provider entities involved in the payments chain like e-merchants.
The EBA has therefore accepted that, “on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019″, national competent authorities may decide to work with payment service providers and relevant stakeholders (including consumers and merchants) to “provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA”. The EBA stressed that such delays will only be available where payment service providers have agreed a migration plan with the competent authority. It is hoped that this additional supervisory flexibility will help merchants handle the transition.
The EBA’s Opinion also provided some commentary on the SCA measures which payment service providers are currently implementing and whether these would be compliant with the inherence, possession, and knowledge definitions under PSD2.
For inherence (defined as something the user is), the EBA stressed that this may include behavioural biometrics identifying the specific authorised user (such as retina and iris scanning, fingerprints and voice recognition). According to the EBA, it would not include information transmitted using a communication protocol like the EMV 3-D Secure version 2.0 or a memorised swiping path.
With regards to possession (defined as something only the user possesses), the EBA stated that possession of a device generating a one-time password or software token, a card evidenced by a card reader or a card with possession evidenced by a dynamic security code would all suffice as valid evidence of possession. However, the EBA is currently of the view that applications installed on a device or cards with possession evidenced by knowledge of card details would not meet the requirements.
In relation to knowledge (defined as something on the user knows) the EBA noted that a password, pin, passphrase, memorised swiping path and knowledge-based responses to challenges or questions would all constitute a valid knowledge element. In contrast, card details, email addresses, user names or one time passwords would not provide sufficient evidence of knowledge for the purposes of the SCA.
The EBA hopes that the additional guidance in its opinion will provide sufficient clarity to payment service providers as the 14 September 2019 SCA implementation date moves ever closer.