Can static card data (Card number PAN + cardholder name +Exp. Date + static CVV2/CVC2) be considered a as a possession factor, and if so: is it strong enough to be a valid factor in a 2-factor Strong customer authentication (SCA)?
In its Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04), the EBA explained that simple card data (Card number PAN + cardholder name +Exp. Date + CVV2/CVC2) cannot be considered a knowledge element. However, many would consider this data to rather be an element of possession, as also the physical card is an element of possession. The CVV2/CVC2 was originally intro-duced to establish that the actual physical card had at some point in time been in-volved in the initiation of the card-based payment – e.g. that it is not just a computer-generated card number under an issuer BIN.
Article 4(30) of Directive 2015/2366/EU (PSD2) defines ‘possession’ as “something only the user possesses”.
Paragraph 28 and Table 2 of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06) clarified that card details and card security code that are printed on the card cannot constitute a valid possession element for the approaches currently observed on the market since the requirements of Article 7 of the Commission Delegated Regulation (EU) 2018/389 would not be met.