Question ID:
2018_4414
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
Paragraph:
2
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
5
Disclose name of institution / entity:
No
Type of submitter:
Other
Subject Matter:
Usage of SMS for dynamic linking
Question:

Please clarify whether payment information and an authentication code sent via SMS to a mobile phone complies with the requirements for Dynamic Linking as defined in Article 5 of the RTS, and in particular paragraph 5.2.

Background on the question:

In order to authenticate a payment, payment service providers might send the payment information (e.g. amount, information about the payee) and corresponding authentication code for a certain payment via SMS to the mobile phone of a payer. The payer should then verify the payment information in the SMS message, and enter the authentication code from the SMS message into the payment application.

Article 5, paragraph 2 requires payment service providers to adopt measures to protect the confidentiality, authenticity and integrity of the payment information throughout all phases of the authentication.

However, the SMS standard, which is part of the Global System for Mobile Communications (GSM) series of standards, does not protect the confidentiality, authenticity and integrity of SMS messages. Additionally vulnerabilities in the SS7 protocol allow interception of SMS messages.

Date of submission:
10/12/2018
Published as Final Q&A:
26/02/2021
EBA Answer:

In accordance with Article 4(a) of the Delegated Regulation (EU) 2018/389, “where Payment Service Providers apply Strong Customer Authentication in accordance with Article 97(1) of Directive (EU) 2015/2366, the authentication shall be based on two or more elements which are categorised as knowledge, possession and inherence and shall result in the generation of an authentication code”. Further, Article 5(2) of the Delegated Regulation states that “payment service providers shall adopt security measures which ensure the confidentiality, authenticity and integrity of each of the following: a) the amount of the transaction and the payee throughout all of the phases of the authentication; b) the information displayed to the payer throughout all of the phases of the authentication including the generation, transmission and use of the authentication code”.

Based on currently available market practices on the transmission of one-time password (OTP) via a Short Message Service (SMS), the SMS may or may not include the information covered in Article 5(2)(a) or the authentication code under Article 4 of the Delegated Regulation.

In the case where the SMS is used for the transmission of an OTP but does not contain the authentication code nor any payment information such as the payee or the amount of the transaction, the issuer would not be required under Article 5(2) of the Delegated Regulation to ensure the confidentiality, authenticity and integrity of the information transmitted via the SMS.

In the case where the SMS contains the authentication code and/or payment information, such as the payee or the amount of the transaction, while the issuer may still use an SMS OTP to evidence the possession element as clarified in paragraph 25 of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06) and Q&A 2018_4039, in accordance with Article 5(2) of the Delegated Regulation, the issuer should take all necessary security measures to ensure the confidentiality, authenticity and integrity of the authentication code and/or the payment information transmitted via the SMS.

Status:
Final Q&A
Answer prepared by:
Answer prepared by the EBA.
Image CAPTCHA