Introduction
On September 14 this year, firms authorized under Payment Systems Directive 2 (PSD2) will be subject to the requirements for Strong Customer Authentication (SCA) as set out in the European Banking Authority’s (EBA) regulatory technical standard (RTS). The SCA RTS underpins the security requirements under PSD2, and ultimately seeks to regulate the manner and degree of access to customer payment account data held at account servicing payment service providers (ASPSPs), by payment service providers (PSPs).
In its opinion dated June 21, 2019 (The SCA Opinion), the EBA has provided some useful clarification on core elements of the SCA RTS, where SCA is defined as “authentication based on the use of two or more elements categorized as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”.1
In light of the above definition, the EBA has sought to clarify what measures would effectively constitute “knowledge”, “possession” and “inherence”, and specifically “what procedure or combination of authentication elements may or may not constitute SCA”.
None of the EBA’s views should come as too much of a surprise, and in some respects, come too late for those firms seeking to be compliant by September 14, 2019(particularly for firms looking to utilize the exemption from having a fallback mechanism).
However, for firms that are looking to grapple with the SCA RTS for the first time, the SCA Opinion will certainly be useful, and follows in the footsteps of recent EBA opinions on the use of eIDAS certificates, and also on open and secure electronic payments.
In addition to clarifying core elements of SCA, the present opinion also contains some general points relating to PSD2, which will be covered at the end of this article.
Inherence
Inherence is defined by Article 4(30) PSD2 as “something the user is”. The EBA has expressed the view that inherence, which includes biological and behavioral biometrics,
should “relate to physical properties of body parts, physiological characteristics and behavioral processes created by the body, and any combination of these.” It is worth noting, that as a consequence of this position, a ‘swiping path’ memorized by a payment service user, would not constitute inherence – and instead would likely be regarded as “knowledge”. The focus should instead be on authentication by reference to the biological uniqueness of the payment service user. The table below sets out what inherence elements would be compliant with the SCA RTS (though please note that the list is not exhaustive).
Element/Measure |
SCA complaint |
Fingerprint scanning |
Yes |
Voice recognition |
Yes |
Hand and face geometry |
Yes |
Retina and iris scanning |
Yes |
Keystroke dynamics |
Yes |
Heart rate or other body movement pattern identifying the PSU (e.g. for wearable devices) |
Yes |
The angle at which the device is held |
Yes |
Information transmitted using a communication protocol (e.g. EMV 3D secure) |
No |
Memorised swiping path |
No |
Possession
Possession is defined in PSD2 as “something only the user possesses”. Possession can be both physical (a device) or non-physical (an app), provided that there is a “reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device”.2 In this context, dynamic validation would mean the issuance of a once time password (OTP) to evidence possession of a device, where the OTP is regenerated in circumstances where the payee identity or amount changes.
The EBA has confirmed that a quick response code and a private key generated digital signature would suffice to confirm possession, but that card details or a security code printed on to a debit or credit card would not be sufficient confirmation possession (instead being regarded as knowledge).
The table below sets out a non-exhaustive list of what, in the EBA’s view, may or may not constitute possession under the SCA RTS.
Element/Measure |
SCA compliant? |
Possession of a device evidenced by an OTP generated by, or received on, a device (hardware or software token generator, SMS OTP) |
Yes |
Possession of a device evidenced by a signature generated by a device (hardware or software token) |
Yes |
Card or device evidenced through a QR code (or photo TAN) scanned from an external device |
Yes |
App or browser with possession evidenced by device binding – such as through a security chip embedded into a device or private key linking an app to a device, or the registration of the web browser linking a browser to a device |
Yes |
Card evidence by a card reader |
Yes |
Card with possession evidenced by a dynamic card security code |
Yes |
App installed on the device |
No |
Card with possession evidenced by card details (printed on the card) |
No |
Card with possession evidenced by a printed element |
No |
Knowledge
Unsurprisingly, the knowledge element of SCA is defined in PSD2 as ‘something only the user knows. Article 6 of the SCA RTS adds the pre-requisite that PSPs must mitigate the risk that the knowledge element is “uncovered by, or disclosed to unauthorized parties” and have mitigation measures in place “in order to prevent their disclosure to unauthorized parties.”
This is arguably the element of the SCA RTS that requires the least explanation, and the EBA opinion reflects that. The table below sets out a further non-exhaustive list in respect of what is, or is not, a knowledge element for the purposes of the SCA RTS.
Element/Measure |
SCA compliant? |
Password |
Yes |
PIN |
Yes |
Knowledge-based challenge questions |
Yes |
Passphrase |
Yes |
Memorized swiping path |
Yes |
Email address or user name |
No |
Card details (printed on the card) |
No |
OTP generated by, or received on, a device (hardware or software token generator, SMS OTP) |
No |
General points – EBA open to extensions
The EBA has acknowledged that owing to the complexity and diversity of the payments market across the Union, and the extent of work required to comply with the SCA RTS, some actors in the payments chain may not be ready by or on September 14, 2019. Therefore, the EBA has accepted that, on an exceptional basis, competent authorities may choose to work with payment service providers and other relevant stakeholders to provide limited additional time to become compliant with SCA. However any requested extension is contingent on the applying payment service provider having set up a migration plan that is agreed with the competent authority, which is then executed in an expedited manner.