- Question ID
-
2020_5650
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
98
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
24 (2) (b)
- Type of submitter
-
Other
- Subject matter
-
Requirements towards SCA if association is done based on phone call
- Question
-
Does the requirement to apply Strong customer authentication (SCA) under Article 24 paragraph 2 b of Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication apply when customer is served using telephone call? Or is the only possibility to associate authentication credentials with the customer not having active credentials at hand, only possible having customer present?
- Background on the question
-
Article 24 paragraph 2 b of the RTS on SCA "the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication".
During the pandemics there is a high demand for the services not requiring to meet in presence.
- Submission date
- Final publishing date
-
- Final answer
-
In accordance with Article 97(1)(c) of Directive 2015/2366/EU (PSD2), payment service providers (PSPs) shall apply strong customer authentication (SCA) where the payer ‘carries out any action through a remote channel which may imply a risk of payment fraud or other abuses’.
Article 4(30) of PSD2 defines strong customer authentication as ‘an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data’.
In accordance with Article 24(2) of the Commission Delegated Regulation (EU) 2018/389, in order to ensure that only the payment service user (PSU) is associated, in a secure manner, with the personalised security credentials (PSC), the authentication devices and the software, PSPs shall ensure that ‘the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication.’
Accordingly, the association of the PSU with the PSC can be done remotely by applying SCA. A telephone call does not, for approaches currently observed in the market, ensure the application of a valid SCA in accordance with PSD2 and the Delegated Regulation.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.