Question ID:
2018_4047
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
Article 3
Disclose name of institution / entity:
No
Type of submitter:
Other
Subject Matter:
Review of security measures
Question:

When an issuer delegates strong customer authentication (SCA) to a third-party (e.g. a smartphone manufacturer), what are the requirements for such delegation? Should the issuer conduct an evaluation of the technical features and security of third-party’s devices and solutions?

Background on the question:
Article 3 RTS requires that the implementation of the security measures ‘referred to in Article 1 [of the RTS]’ must be documented, periodically tested, evaluated and audited in accordance with the applicable legal framework of the PSP by auditors with expertise in IT security and payments and operationally independent within or from the PSP.
 
The reference to the security measures under Article 1 RTS is wide and includes:
 
(a) SCA procedures (Article 1(a) RTS);
 
(b) Exemptions (Article 1(b) RTS);
 
(c) Measures protecting the confidentiality and the integrity of the user’s personalised security credentials (Article 1(c) RTS).
Date of submission:
28/06/2018
Published as Final Q&A:
09/08/2019
Final Answer:

According to Article 9 of the Commission Delegated Regulation (EU) 2018/389, payment service providers (PSPs) shall ensure that the use of the elements of strong customer authentication (SCA) is subject to measures which ensure that, in terms of technology, algorithms and parameters, the breach of one of the elements does not compromise the reliability of the other elements. It further provides that PSPs shall adopt security measures,
where any of the elements of SCA or the authentication code itself is used through a multi-purpose device, to mitigate the risk which would result from that multi-purpose device being compromised. The mitigating measures shall include each of the following:

 (a) the use of separated secure execution environments through the software installed inside the multi-purpose device;

 (b) mechanisms to ensure that the software or device has not been altered by the payer or by a third party;

 (c) where alterations have taken place, mechanisms to mitigate the consequences thereof.

Issuers may use third party technology, such as a smartphone fingerprint reader, to support SCA and to ensure they fulfill all the security measures established in the Delegated Regulation. Furthermore, PSPs may outsource the execution of SCA to a third party. In that case, said PSPs should comply with the general requirements on outsourcing, including the requirements in the EBA Guidelines on Outsourcing arrangements (EBA/GL/2019/02).

However, it should be noted that the responsibility for compliance with SCA cannot be outsourced from PSPs to third parties and that PSPs remain fully responsible for the compliance with the requirements in the Delegated Regulation. In particular, PSPs should make sure that the technical service provider has a satisfactory level of security and that it applies the mitigating measures in accordance with Article 9 of the Delegated Regulation.

Finally, in accordance with Article 3 of the Delegated Regulation, PSPs should ensure that the implementation of the security measures is documented, periodically tested, evaluated and audited in accordance with the applicable legal framework of the PSP by auditors with expertise in IT security and payments and operationally independent within or from the PSP. This may include carrying out security evaluations of devices or applications (such as the referred Mobile Payment Application) from third parties.

Status:
Final Q&A
Answer prepared by:
Answer prepared by the EBA.
Image CAPTCHA