Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Type of submitter:
Credit institution
Subject Matter:
Chip and Signature cards and their inclusion in the remit of RTS Article 11

Is cardholder signature a strong method of authentication when transacting with card present?

If so, is there a requirement to ensure that on Chip and Signature cards we step up to signature from contactless after 5 contactless /cumulative value of 150 euros?

If a signature is not considered to be strong customer authentication (SCA), are chip and signature cards exempt from SCA requirements under Article 11 of the RTS on strong customer authentication and secure communication?

Background on the question:

Chip and Signature cards are generally issued to cardholders who have trouble remembering PIN/entering PIN on a key pay etc. These are typically customers who are vulnerable/have disabilities. Forcing them to use PIN at terminals (aside from ATMs) may be considered discrimination. Forcing customers to step up from contactless to signature is also a bad customer journey especially if the terminal is not attended e.g self servce in a supermarket.

Date of submission:
Published as Final Q&A:
EBA Answer:

Q&A 2018_4237 clarifies that a signature on a paper slip cannot be considered a valid factor in a two-factor strong customer authentication (SCA) under Directive 2015/2366/EU (PSD2) and the Commission Delegated Regulation (EU) 2018/389 for approaches currently observed in the market.

Accordingly, while the exemption under Article 11 of the Delegated Regulation may be used for card-based payment transactions relying on chip and signature on a paper slip, provided that the respective thresholds are met, it would not be possible to apply SCA by using the chip and a signature only after the thresholds have been reached. In this case, the issuer of the payment card would need to ensure that other forms of authentication compliant with the requirements of PSD2 and the Delegated Regulation are applied.

Final Q&A