The European Banking Authority (EBA) Opinion, published on 21 June 2019 on the Elements of SCA under PSD2, acknowledges the complexity of the payments market across the EU. Because of this, issuers, acquirers, PSPs and other stakeholders will have additional time to comply with PSD2 requirements, based on an exceptional basis determined by the National Competent Authorities (NCA).
The Opinion provides specific comments and clarification on the elements used for the SCA requirements, including dynamic linking and independence.
This article will cover the clarification brought by the EBA and possible impacts.
Different levels of readiness
European countries are at different stages of readiness, with numerous issuers recognizing they won’t be ready to apply the full range of SCA and exemptions on time. Moreover, many merchants do not fully understand the PSD2 requirements, resulting in consumers not enrolled in the compliant authentication solutions required as cardholders.
Because of this, in France, the EBA Banque de France has set forth a migration plan that expands the deadline an additional 15 months for a vast majority of players to be compliant (14 Dec 2020) and even until June 2022 under exceptional basis.
In the UK, UK Finance and FCA are working on an additional 18 months roadmap (14 March 2021). Many other countries are also in favor of an extended transition period of 6 to 18 months.
Specific comments on authentication elements compliance
The Opinion clarifies the use of the authentication element and in which of the three categories they fall (Inherence, Possession, Knowledge), keeping in mind that authentication is based on the use of at least two elements from each of the three elements.
Inherence elements (Something the user is).
SCA-compliant behavioral and biological inherence elements may include:
- Fingerprint scanning
- Voice and vein recognition
- Hand and face geometry
- Retina and iris scanning
- Keystroke dynamics
- Heart rate or other body movement patterns
- Angle at which the device is held by PSU
Note that swiping path constitutes a knowledge element, not an inherence element.
Communication protocols such as EMV 3DSecure 2.0 and newer versions are not yet considered inherence as long they do not include information that relates to biological and behavioral biometrics (enabling PSP to identify something the PSU is).
Possession elements (Something the user has).
Possession may refer not only to possession of a physical device, but also to something that is not physical, such an app, web browser or exchange of public and private keys if they include device binding protection. SCA-compliant possession elements may include:
- Device evidenced by OTP generated by or received on device (HW or SW token generator, SMS OTP)
- Device evidenced by a signature generated by a device (HW or SW token)
- Card or device evidenced through a QR code (or photo TAN) scanned from an external device
- App or browser evidenced by a device binding (e.g. through security chip embedded into a device, private key linking an app to a device, or registration of web browser linking a browser to a device)
- Card evidenced by a card reader
- Card evidenced by a dynamic security code
Note that in case of SMS, the possession element would not be the SMS itself, but typically the SIM card associated with the respective mobile number. Also considered non SCA compliant are:
- Card evidenced by details printed on the card
- Card evidenced by a printed element (such as OTP list or grid card)
- Mobile app installed on a device that is not protected with a device binding process
Knowledge elements (Something the user knows).
SCA-compliant knowledge elements may include:
- Password and PIN
- Knowledge-based response to challenges or questions
- Memorized swiping path
Note that details printed on the card, email address or username would not be a knowledge element. Neither would OTP generated by or received on a device, as it is a possession element. A standard card-based e-commerce payment also would not be SCA compliant, as card details used in combination of EMV3D Secure and an SMS OTP will only have one SCA-compliant element.
In addition, approaches using dynamic card security codes and an SMS OTP will also not be SCA-compliant, as these two elements belong in the possession elements category.
After 14 September 2019, there will likely be an increase of declined transactions or abandonments, and EBA strongly encourages NCAs to communicate with issuers and acquirers to identify SCA approaches, migration and user communication plans.
According to Article 5 of the RTS, any remote e-commerce transaction needs to include a dynamic linking element. PSPs shall adopt security measures to ensure confidentiality, authenticity and integrity of the payment information. EBA notes that today the dynamic linking element is typically produced based on the possession element (e.g. SMS OTP) and encourages NCAs to move towards new approaches, making sure they can enable dynamic linking.
While the EBA Opinion paper clarifies some questions the industry may have, it covers only SCA requirements. The key takeaways of the Opinion are:
- It is favorable for NCAs to agree with market players for extended migration plan beyond 14 September 2019.
- Find alternatives to EMV 3DS 2.0 transactions and newer that are not compliant today.
- SMS OTP can be considered a possession element. However several NCAs have already announced they are moving away from SMS OTP.