Question ID:
2019_4671
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
4
Paragraph:
1
Subparagraph:
30
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
6
Disclose name of institution / entity:
Yes
Name of institution / submitter:
Bulgarian Fintech Association
Country of incorporation / residence:
Bulgaria
Type of submitter:
Industry association
Subject Matter:
Compliance of (1) card data (2) SMS OTP and (3) EMV 3DS behaviour-based inherence as an authentication information with the requirements of PSD2 and RTS on SCA
Question:

Could the use of (1) card data (2) SMS One Time Password (OTP) and (3) Europay, MasterCard, Visa (EMV) 3-D secure (3DS) behaviour-based inherence information as an authentication solution be considered compliant with the PSD2 and RTS on strong customer authentication and secure communication requirements?

Background on the question:

We consider the authentication solution based on (1) card data, (2) SMS OTP and (3) EMV 3DS behaviour-based inherence information compliant with the requirements of PSD2 SCA. This method of authentication has proved to be effective, secure and considerably convenient for users worldwide. There is a significant number of banks and financial institutions who are currently considering the adoption of this solution in order to be compliant with PSD2.

The three components of the aforementioned authentication solution correspond to three different categories of authentication elements, namely: Knowledge (card data), Ownership (SMS OTP) and Inherence (EMV 3DS). They are independent from each other and, therefore, they can be used in pairs in compliance with PSD2. Card data (Knowledge) is significantly more complex and considerably longer than a common static password or a PIN-code.

Furthermore, it includes different pieces of data – card number, expiry date and CVC, which makes it impossible for the card data to be simply guessed and very unlikely to be stolen by a fraudulent software. Anyone who possesses a card is required to keep it secure and private, thus shifting the liability for the protection of the data to the client, much like with a regular password, only notably more complex than that.

An additional password requirement would only cause frustration without significantly improving the security of the payments. In addition, in the recent years we have been witnessing a gradual transition to fully contactless payments, which makes it impossible to capture card data.

Mobile payments are also on the rise, which provides no opportunities for card data leakage. EMV 3DS (Inherence) provides behaviour-based inherence information generated on the basis of more than 130 data points that provide a significant level of uniqueness. The data points include elements which identify the cardholder’s location, spending habits and transaction history, as well as the devices they use, which is enough for issuers to authenticate cardholders correctly.

The practice in recent years has shown that each of these two types of authentication provides more security than a single piece of data, such as a PIN-code or a password (knowledge) or even an OTP generated by a physical device in the possession of the cardholder (possession). For example, an issuer can authenticate a card holder with a very high degree of certainty if recurring purchases are made from the same device and location and are shipped to the same address. This set of circumstances provide for a much more secure and reliable authentication compared to the use of a single piece of authentication information.

In Questions 28 and 32 of the European Banking Authority’s Feedback Table, EBA has recognised that the behaviour-based information may constitute a valid inherence authentication element under PSD2. Furthermore, the EBA has confirmed this view in its Opinion on the implementation of the RTS from June 2018.

Issuers will remain responsible for determining if it is appropriate to select EMV 3DS behaviour-based information as a valid inherence authentication element in itself or as support for the risk analysis and monitoring associated with a transaction under the RTS.

This decision will have regard for the risk profile of the transaction, the information transmitted through EMV 3DS and the reliability of the behaviour-based information obtained (in terms of minimizing false positives and the chances of replication).

Please consider the fact that if it were not for the introduction of authentication through (1) card data (2) SMS OTP and (3) EMV 3DS behaviour-based inherence information, hundreds of millions of European consumers would still need to remember a password in addition to having to put in their card details when making a purchase. The introduction of a password requirement will lead to high abandonment rates, massive complaints by customers for not being able to shop online, and an overall frustration throughout the European online markets.

As the representative body of the FinTech sector in Member State B, we have the ability to observe the trends in the sector, as well as the user behaviour. Therefore, we are concerned that the introduction of an additional authentication method such as a PIN-code, would hinder the development of the financial services provided by the companies in the sector, since the customers who utilize them are used to the high level of comfort and accessibility of the services. It is expected that such a measure will disincentivise users to continue using the services of Fintech companies who operate with online payments.

Date of submission:
15/04/2019
Published as Final Q&A:
05/03/2021
EBA Answer:

Paragraph 35 of the EBA Opinion on the Implementation of the RTS on SCA and CSC (EBA-Op-2018-04), stated that the card details and security code printed on the card would not constitute a knowledge element. In addition, while a card with a dynamic card security code may constitute a possession element, it would not constitute a knowledge element.

Table 2 of the EBA Opinion on the elements of strong customer authentication (SCA) under PSD2, (EBA-Op-2019-06), notes that a Card with possession evidenced by card details (printed on the card) is not a compliant ‘possession’ element, for approaches currently observed.

Accordingly, card details cannot be used as a valid factor in a two-factor SCA under Directive 2015/2366/EU (PSD2) and the Delegated Regulation (EU) 2018/389.

With regard to EMV 3DS, paragraph 21 and Table 1 of the EBA Opinion on the elements of SCA under PSD2 clarified that communication protocols, such as EMV® 3-D Secure version 2.0 and newer, did not appear to constitute inherence elements for approaches observed on the market at the time of issuance of the Opinion.

With regard to the SMS OTP, as clarified in Q&A 2018_4039 a one-time password sent via SMS would constitute a possession element and therefore should comply with the requirements under Article 7 of the Delegated Regulation. This was reflected also in Table 2 of the EBA Opinion on the elements of strong customer authentication under PSD2.

Accordingly, authentication based on the combination of card details, SMS OTP and current EMV 3DS would not meet the SCA requirements under PSD2 and the Delegated Regulation.

Status:
Final Q&A
Image CAPTCHA