2018_4235 Ability of static card data to be considered a possession factor?

Question ID: 2018_4235
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: (a)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 7
Name of institution / submitter: Swedish Bankers’ Association
Country of incorporation / residence: Sweden
Type of submitter: Industry association
Subject matter: Ability of static card data to be considered a possession factor?
Question: Can static card data (Card number PAN + cardholder name +Exp. Date + static CVV2/CVC2) be considered a as a possession factor, and if so: is it strong enough to be a valid factor in a 2-factor Strong customer authentication (SCA)?
Background on the question: In its Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04), the EBA explained that simple card data (Card number PAN + cardholder name +Exp. Date + CVV2/CVC2) cannot be considered a knowledge element. However, many would consider this data to rather be an element of possession, as also the physical card is an element of possession. The CVV2/CVC2 was originally intro-duced to establish that the actual physical card had at some point in time been in-volved in the initiation of the card-based payment – e.g. that it is not just a computer-generated card number under an issuer BIN.
Submission date: 06/09/2018
Final publishing date: 15/01/2021
Final answer: Article 4(30) of Directive 2015/2366/EU (PSD2) defines ‘possession’ as “something only the user possesses”.

Paragraph 28 and Table 2 of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06) clarified that card details and card security code that are printed on the card cannot constitute a valid possession element for the approaches currently observed on the market since the requirements of Article 7 of the Commission Delegated Regulation (EU) 2018/389 would not be met.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre

Disclaimer