- Question ID
-
2018_4237
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
98
- Paragraph
-
1
- Subparagraph
-
(a)
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
8
- Name of institution / submitter
-
Swedish Bankers’ Association
- Country of incorporation / residence
-
Sweden
- Type of submitter
-
Industry association
- Subject matter
-
Signature on a paper slip from a payment terminal, as a factor in a two-factor SCA
- Question
-
Could Signature on a paper slip from a payment terminal, be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?
- Background on the question
-
EBA responded to a question about signature as authentication factor in connection to its “Final Report Draft RTS” of 23rd February 2017, Comment (273) -4), by saying “The EBA is of the view that it complies with the requirements under the RTS, including the presence of a dynamic element.”
The way the question is formulated it is unclear if the answer relates to a signature on a paper slip or a signature on a digital device, or both. It is also unclear to us what EBA means with “presence of a dynamic element” in this context.
We think EBA should elaborate on the requirements for capture and comparison of signature. The question of digital capture of a signature must be addressed separately from the issue of capture of signature on a paper slip. With regard to capture on a pa-per slip, there is need to address the typical way this is captured today, i.e. on a paper slip from a payment terminal, which is only saved by the merchant (the payee) for ref-erence in case the transaction is disputed, and is therefore not captured in any direct or indirect way by the payer’s PSP, i.e. the issuer.
- Submission date
- Final publishing date
-
- Final answer
-
Article 4 of Directive 2015/2366/EU (PSD2) defines ‘knowledge’ as ‘something only the user knows’, ‘possession’ as ‘something only the user possesses’ and ‘inherence’ as ‘something the user is’.
Paragraph 34 of the EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication (SCA) and common and secure communication, EBA-Op-2018-04, states that behavioural biometrics may constitute inherence providing they comply with the requirements under Article 8 of the Commission Delegated Regulation (EU) 2018/389.
However, for approaches currently observed in the market where the merchant compares the signature of the payer on a paper slip with the signature on the card, a signature on a paper slip cannot be considered as a behavioural biometric as it would not meet the requirements of Article 8 of the Delegated Regulation, since the signature is not being read by access devices and software provided to the payer and the issuer cannot verify the payer’s signature as part of the authentication process.
In addition, a signature on a paper slip does not constitute ‘knowledge’ as this is not something only the user knows or ‘possession’ as this is not something that the user possesses. Therefore it cannot be considered as a valid factor in a two-factor SCA under PSD2 and the Delegated Regulation.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.