Question ID
2018_4047
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
Article 3
Type of submitter
Other
Subject matter
Review of security measures
Question

When an issuer delegates strong customer authentication (SCA) to a third-party (e.g. a smartphone manufacturer), what are the requirements for such delegation? Should the issuer conduct an evaluation of the technical features and security of third-party’s devices and solutions?

Background on the question
Article 3 RTS requires that the implementation of the security measures ‘referred to in Article 1 [of the RTS]’ must be documented, periodically tested, evaluated and audited in accordance with the applicable legal framework of the PSP by auditors with expertise in IT security and payments and operationally independent within or from the PSP. The reference to the security measures under Article 1 RTS is wide and includes: (a) SCA procedures (Article 1(a) RTS); (b) Exemptions (Article 1(b) RTS); (c) Measures protecting the confidentiality and the integrity of the user’s personalised security credentials (Article 1(c) RTS).
Submission date
Final publishing date
Final answer

According to Article 9 of the Commission Delegated Regulation (EU) 2018/389, payment service providers (PSPs) shall ensure that the use of the elements of strong customer authentication (SCA) is subject to measures which ensure that, in terms of technology, algorithms and parameters, the breach of one of the elements does not compromise the reliability of the other elements. It further provides that PSPs shall adopt security measures,
where any of the elements of SCA or the authentication code itself is used through a multi-purpose device, to mitigate the risk which would result from that multi-purpose device being compromised. The mitigating measures shall include each of the following:

 (a) the use of separated secure execution environments through the software installed inside the multi-purpose device;

 (b) mechanisms to ensure that the software or device has not been altered by the payer or by a third party;

 (c) where alterations have taken place, mechanisms to mitigate the consequences thereof.

Issuers may use third party technology, such as a smartphone fingerprint reader, to support SCA and to ensure they fulfill all the security measures established in the Delegated Regulation. Furthermore, PSPs may outsource the execution of SCA to a third party. In that case, said PSPs should comply with the general requirements on outsourcing, including the requirements in the EBA Guidelines on Outsourcing arrangements (EBA/GL/2019/02).

However, it should be noted that the responsibility for compliance with SCA cannot be outsourced from PSPs to third parties and that PSPs remain fully responsible for the compliance with the requirements in the Delegated Regulation. In particular, PSPs should make sure that the technical service provider has a satisfactory level of security and that it applies the mitigating measures in accordance with Article 9 of the Delegated Regulation.

Finally, in accordance with Article 3 of the Delegated Regulation, PSPs should ensure that the implementation of the security measures is documented, periodically tested, evaluated and audited in accordance with the applicable legal framework of the PSP by auditors with expertise in IT security and payments and operationally independent within or from the PSP. This may include carrying out security evaluations of devices or applications (such as the referred Mobile Payment Application) from third parties.

Status
Final Q&A
Answer prepared by
Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.