Question ID:
2018_4235
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
98
Paragraph:
1
Subparagraph:
(a)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
7
Disclose name of institution / entity:
Yes
Name of institution / submitter:
Swedish Bankers’ Association
Country of incorporation / residence:
Sweden
Type of submitter:
Industry association
Subject Matter:
Ability of static card data to be considered a possession factor?
Question:

Can static card data (Card number PAN + cardholder name +Exp. Date + static CVV2/CVC2) be considered a as a possession factor, and if so: is it strong enough to be a valid factor in a 2-factor Strong customer authentication (SCA)?

Background on the question:

In its Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04), the EBA explained that simple card data (Card number PAN + cardholder name +Exp. Date + CVV2/CVC2) cannot be considered a knowledge element. However, many would consider this data to rather be an element of possession, as also the physical card is an element of possession. The CVV2/CVC2 was originally intro-duced to establish that the actual physical card had at some point in time been in-volved in the initiation of the card-based payment – e.g. that it is not just a computer-generated card number under an issuer BIN.

Date of submission:
06/09/2018
Published as Final Q&A:
15/01/2021
EBA Answer:

Article 4(30) of Directive 2015/2366/EU (PSD2) defines ‘possession’ as “something only the user possesses”.

Paragraph 28 and Table 2 of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06) clarified that card details and card security code that are printed on the card cannot constitute a valid possession element for the approaches currently observed on the market since the requirements of Article 7 of the Commission Delegated Regulation (EU) 2018/389 would not be met.

Status:
Final Q&A
Image CAPTCHA