The European Banking Authority (EBA) today published three Q&As that, jointly with three other Q&As that the EBA had published previously, clarify comprehensively the application of strong customer authentication (SCA) to digital wallets under the revised Payment Service Directive (PSD2). This press release provides a summary of these Q&As and, thus, aims at bringing about a consistent understanding by all market stakeholders of the applicable requirements.
The six Q&As clarify the application of SCA to the enrolment of a payment card to a digital wallet and to the initiation of payment transactions with digitised versions of a payment card. They also clarify the requirements applicable to the outsourcing of the application of SCA to digital wallet providers.
Starting with the enrolment of a payment card to a digital wallet, Q&A 5622, for example, clarifies that this process leads to the creation of a token/digitised version of the payment card and requires the application of strong customer authentication (SCA) under Article 97(1)(c) of PSD2, because it is an action that may imply the risk of fraud or other abuses. By applying SCA, the payment service provider (PSP) verifies remotely that the payment service user (PSU) is the rightful user of the payment card and associates the PSU and the digitised version of the payment card with the respective device.
Q&A 6141 had already clarified that the PSP that has issued the payment card (the issuer) is required to apply SCA when adding a payment card to a digital wallet and is responsible for providing the respective SCA elements to the PSU. The issuer is also required to ensure that adequate security measures are in place to protect the confidentiality and integrity of PSU’s personalised security credentials.
Turning to outsourcing, the Q&As, overall, clarify that issuers may outsource the provision and verification of the elements of SCA to a third party (e.g. by concluding contractual arrangements with the third party), such as a digital wallet provider, in compliance with the general requirements on outsourcing, including the requirements of the EBA Guidelines on Outsourcing arrangements . However, the responsibility for compliance with the SCA requirements cannot be outsourced and issuers remain fully responsible for the compliance with the requirements in PSD2 and the Regulatory Technical Standards (RTS) on SCA&CSC.
When it comes to the initiation of electronic payment transactions, Q&A 5622 clarifies that the initiation of transactions with the digitised version of the payment card also requires the application of SCA under Article 97(1)(b) of PSD2, unless one of the specific exemptions from the application of SCA set out in the RTS on SCA&CSC applies.
Finally, Q&A 6145 clarifies that the unlocking of a mobile phone with biometrics (e.g. a fingerprint) or with a PIN/password cannot be considered a valid SCA element for the purpose of adding a payment card to a digital wallet, if the screen locking mechanism of the mobile device is not a process under the control of the issuer. Q&A 6464 further clarifies that the issuance of a new token, replacing a previously existing one, and binding it to a device/user also requires the application of SCA.
Legal basis and background
The six Q&As referred to in this press release comprises three Q&As the EBA had previously published (4047, 4827 and 6141) and three Q&As the EBA has published today (5622, 6145 and 6464).
Article 97(1) of PSD2 states that “a payment service provider applies strong customer authentication where the payer: (a) accesses its payment account online; (b) initiates an electronic payment transaction; (c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses”.
Article 24(1) of the Commission Delegated Regulation (EU) 2018/389 provides that ‘payment service providers shall ensure that only the payment service user is associated, in a secure manner, with the personalised security credentials, the authentication devices and the software’. Paragraph 2, letter ‘b’ of the same article continues by specifying that ‘the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication.’
Article 16b of the EBA Regulation (No 1093/2010) provides that “[…] questions relating to the practical application or implementation of the provisions of legislative acts […], associated delegated and implementing acts, and guidelines and recommendations, adopted pursuant to those legislative acts, may be submitted by any natural or legal person, including competent authorities and Union institutions and bodies, to the Authority in any official language of the Union”.