Question ID
2018_4049
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph
Articles 7, 8
Type of submitter
Other
Subject matter
Persistent authentication for wearable devices
Question

Is persistent authentication for wearable devices compliant with the RTS?

Background on the question

New payment solutions can entail the use of wearable devices with payment capabilities (e.g. smartwatches and wristbands). A card can be registered in a wearable device so that the device can be used to pay. This makes the device (or the tokenized card registered in the device) an ownership factor (“something only the user possesses”).

Some devices have a screen and keyboard and can support for example PIN entry. In addition, for other devices the PIN may be entered on the POS terminal.

Other devices can continuously monitor and identify users through locking mechanisms that ensure that the user is continuously wearing the device. This is the so-called ‘persistent authentication’. For example, persistent authentication occurs when the device continuously monitors the cardholder is wearing the device through measuring the heartbeat. These devices authenticate through an ownership factor (the tokenized card registered in the device) and another factor (e.g. biometrics).

Additional security features may be implemented. For example, persistent authentication terminates (i) whenever wearable is detected ‘off-body’ and this ‘off-body’ detection must occur within 3 seconds, or (ii) after 24 hours of continuous use (‘time-out’).

Absent any clarification on persistent authentication in the PSD2 and in the RTS, we believe that persistent authentication for wearable devices is compliant with the RTS insofar as the registration of the card in the device is done in compliance with the RTS SCA requirements. In particular, the card must be securely associated with the wearable device through SCA by the issuer.

Submission date
Final publishing date
Final answer

PSD2 and the Commission Delegated Regulation (EU) 2018/389 (RTS on Strong customer authentication and secure communication) do not define ‘persistent authentication’.

Article 97 of PSD2 requires payment service providers to apply strong customer authentication (SCA) for all electronic transactions or log-in to an electronic account. Article 4(30) of PSD2 defines SCA as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent”. Articles 4 to 9 of the Delegated Regulation provide further detail on these two elements as well as the application of dynamic linking, where applicable. Article 22 of this Delegated Regulation details requirements on ensuring the confidentiality and integrity of the payment service user’s personalised security credentials, including authentication codes, during all phases of authentication.

The submitter suggests that some devices can continuously monitor and identify users through mechanisms that ensure that the user is continuously wearing the device (e.g. through measuring the heartbeat). Such an authentication would need to meet the legal requirements listed above.

With regard to ‘possession’, according to paragraph 35 of the EBA Opinion on the implementation of the RTS on SCA and  secure communication “for a device to be considered possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device”.  This leads to a unique SCA attempt for every situation, where SCA needs to be applied.

Finally, in situations where exemptions apply, such as under the contactless payments exemption under Article 11 of the Delegated Regulation, the requirement for SCA would not apply.

Status
Final Q&A
Answer prepared by
Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.