The European Banking Authority (EBA) Opinion, published on 21 June 2019 on the Elements of SCA under PSD2, acknowledges the complexity of the payments market across the EU. Because of this, issuers, acquirers, PSPs and other stakeholders will have additional time to comply with PSD2 requirements, based on an exceptional basis determined by the National Competent Authorities (NCA).
The Opinion provides specific comments and clarification on the elements used for the SCA requirements, including dynamic linking and independence.
This article will cover the clarification brought by the EBA and possible impacts.
Different levels of readiness
European countries are at different stages of readiness, with numerous issuers recognizing they won’t be ready to apply the full range of SCA and exemptions on time. Moreover, many merchants do not fully understand the PSD2 requirements, resulting in consumers not enrolled in the compliant authentication solutions required as cardholders.
Because of this, in France, the EBA Banque de France has set forth a migration plan that expands the deadline an additional 15 months for a vast majority of players to be compliant (14 Dec 2020) and even until June 2022 under exceptional basis.
In the UK, UK Finance and FCA are working on an additional 18 months roadmap (14 March 2021). Many other countries are also in favor of an extended transition period of 6 to 18 months.
Specific comments on authentication elements compliance
The Opinion clarifies the use of the authentication element and in which of the three categories they fall (Inherence, Possession, Knowledge), keeping in mind that authentication is based on the use of at least two elements from each of the three elements.
Inherence elements (Something the user is).
SCA-compliant behavioral and biological inherence elements may include:
Note that swiping path constitutes a knowledge element, not an inherence element.
Communication protocols such as EMV 3DSecure 2.0 and newer versions are not yet considered inherence as long they do not include information that relates to biological and behavioral biometrics (enabling PSP to identify something the PSU is).
Possession elements (Something the user has).
Possession may refer not only to possession of a physical device, but also to something that is not physical, such an app, web browser or exchange of public and private keys if they include device binding protection. SCA-compliant possession elements may include:
Note that in case of SMS, the possession element would not be the SMS itself, but typically the SIM card associated with the respective mobile number. Also considered non SCA compliant are:
Knowledge elements (Something the user knows).
SCA-compliant knowledge elements may include:
Note that details printed on the card, email address or username would not be a knowledge element. Neither would OTP generated by or received on a device, as it is a possession element. A standard card-based e-commerce payment also would not be SCA compliant, as card details used in combination of EMV3D Secure and an SMS OTP will only have one SCA-compliant element.
In addition, approaches using dynamic card security codes and an SMS OTP will also not be SCA-compliant, as these two elements belong in the possession elements category.
After 14 September 2019, there will likely be an increase of declined transactions or abandonments, and EBA strongly encourages NCAs to communicate with issuers and acquirers to identify SCA approaches, migration and user communication plans.
According to Article 5 of the RTS, any remote e-commerce transaction needs to include a dynamic linking element. PSPs shall adopt security measures to ensure confidentiality, authenticity and integrity of the payment information. EBA notes that today the dynamic linking element is typically produced based on the possession element (e.g. SMS OTP) and encourages NCAs to move towards new approaches, making sure they can enable dynamic linking.
While the EBA Opinion paper clarifies some questions the industry may have, it covers only SCA requirements. The key takeaways of the Opinion are: