Does a payer’s date of birth and place of birth constitute a valid Knowledge Element for strong customer authentication.
After reading many different articles, Knowledge should be something in the customers head. So if a date of birth can be viewed across many different forms of personal information (even through the window of some letters in your letterbox or my facebook page) and my Place of birth can be found on my passport.,
Should my bank be using this to validate Knowledge for making data changes?
Article 4(30) of Directive 2015/2366/EU (PSD2) defines knowledge as something only the user knows.
Article 6 of Regulation (EU) 2018/389 specifies the requirement for payment service providers (PSPs) to mitigate the risk that the element is ‘uncovered by, or disclosed to, unauthorised parties’ and to have mitigation measures in place ‘in order to prevent their disclosure to unauthorised parties’.
Accordingly, date and/or place of birth cannot constitute a knowledge element under PSD2 and the Delegated Regulation since these may be accessible by third parties other than the payment service user or the PSP.