Does the requirement to apply Strong customer authentication (SCA) under Article 24 paragraph 2 b of Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication apply when customer is served using telephone call? Or is the only possibility to associate authentication credentials with the customer not having active credentials at hand, only possible having customer present?
Article 24 paragraph 2 b of the RTS on SCA "the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication".
During the pandemics there is a high demand for the services not requiring to meet in presence.
In accordance with Article 97(1)(c) of Directive 2015/2366/EU (PSD2), payment service providers (PSPs) shall apply strong customer authentication (SCA) where the payer ‘carries out any action through a remote channel which may imply a risk of payment fraud or other abuses’.
Article 4(30) of PSD2 defines strong customer authentication as ‘an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data’.
In accordance with Article 24(2) of the Commission Delegated Regulation (EU) 2018/389, in order to ensure that only the payment service user (PSU) is associated, in a secure manner, with the personalised security credentials (PSC), the authentication devices and the software, PSPs shall ensure that ‘the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication.’
Accordingly, the association of the PSU with the PSC can be done remotely by applying SCA. A telephone call does not, for approaches currently observed in the market, ensure the application of a valid SCA in accordance with PSD2 and the Delegated Regulation.