Search for Q&As Submit a question

List of Q&As

Ability of static card data to be considered a possession factor?

Can static card data (Card number PAN + cardholder name +Exp. Date + static CVV2/CVC2) be considered a as a possession factor, and if so: is it strong enough to be a valid factor in a 2-factor Strong customer authentication (SCA)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4235 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 06/09/2018 | Date of publication: 15/01/2021

Signature on a paper slip from a payment terminal, as a factor in a two-factor SCA

Could Signature on a paper slip from a payment terminal, be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4237 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 06/09/2018 | Date of publication: 15/05/2020

Unsuccessful authentications and declined transactions effect on the counters of cumulative amount and number of consecutive transactions

Do failed authentications or declined transactions increase the counters of cumulative amount or number of hits?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4785 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 18/06/2019 | Date of publication: 06/12/2019

Showing a password after it has been masked

Article 22, 2(a) states that "personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication". Is it ok to offer the user a "show password"-button, so the user can verify that correct password has been entered, before fulfilling an authentication?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4366 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 09/11/2018 | Date of publication: 08/02/2019

Signature performed on the screen of a digital device as a factor in a two-factor SCA

Could a signature performed on the screen of a digital device be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4238 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 06/09/2018 | Date of publication: 21/12/2018

Obligatory nature of the SCA and exemption based on transaction risk analysis

Does the exemption to the strong customer authentication (SCA) apply to any connection the payment service user (PSU) makes to his/her payment account(s), or only to the connections made through the use of third party processors (TPPs, such as AISPs or PISPs) via the interfaces (dedicated or not) set up by the bank with the TPPs, when a transaction risk analysis is performed and results on a low level of risk? That is, the connections made via the traditional online banking or the mobile application that the financial institution (the bank) provides to the final user are also eligible to a transaction risk analysis and, if a low level or risk is identified, apply exemption to the SCA? Or do the PSD2, and specifically the RTS on SCA and secure communication not apply to the traditional connections performed by the PSUs to their payment accounts via online banking or mobile application provided by the bank (ASPSP), and do they not mandate to apply transaction monitoring in such cases?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4089 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 10/07/2018 | Date of publication: 19/10/2018