Is persistent authentication for wearable devices compliant with the RTS?
New payment solutions can entail the use of wearable devices with payment capabilities (e.g. smartwatches and wristbands). A card can be registered in a wearable device so that the device can be used to pay. This makes the device (or the tokenized card registered in the device) an ownership factor (“something only the user possesses”).
Some devices have a screen and keyboard and can support for example PIN entry. In addition, for other devices the PIN may be entered on the POS terminal.
Other devices can continuously monitor and identify users through locking mechanisms that ensure that the user is continuously wearing the device. This is the so-called ‘persistent authentication’. For example, persistent authentication occurs when the device continuously monitors the cardholder is wearing the device through measuring the heartbeat. These devices authenticate through an ownership factor (the tokenized card registered in the device) and another factor (e.g. biometrics).
Additional security features may be implemented. For example, persistent authentication terminates (i) whenever wearable is detected ‘off-body’ and this ‘off-body’ detection must occur within 3 seconds, or (ii) after 24 hours of continuous use (‘time-out’).
Absent any clarification on persistent authentication in the PSD2 and in the RTS, we believe that persistent authentication for wearable devices is compliant with the RTS insofar as the registration of the card in the device is done in compliance with the RTS SCA requirements. In particular, the card must be securely associated with the wearable device through SCA by the issuer.
PSD2 and the Commission Delegated Regulation (EU) 2018/389 (RTS on Strong customer authentication and secure communication) do not define ‘persistent authentication’.
Article 97 of PSD2 requires payment service providers to apply strong customer authentication (SCA) for all electronic transactions or log-in to an electronic account. Article 4(30) of PSD2 defines SCA as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent”. Articles 4 to 9 of the Delegated Regulation provide further detail on these two elements as well as the application of dynamic linking, where applicable. Article 22 of this Delegated Regulation details requirements on ensuring the confidentiality and integrity of the payment service user’s personalised security credentials, including authentication codes, during all phases of authentication.
The submitter suggests that some devices can continuously monitor and identify users through mechanisms that ensure that the user is continuously wearing the device (e.g. through measuring the heartbeat). Such an authentication would need to meet the legal requirements listed above.
With regard to ‘possession’, according to paragraph 35 of the EBA Opinion on the implementation of the RTS on SCA and secure communication “for a device to be considered possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device”. This leads to a unique SCA attempt for every situation, where SCA needs to be applied.
Finally, in situations where exemptions apply, such as under the contactless payments exemption under Article 11 of the Delegated Regulation, the requirement for SCA would not apply.