2018_4110 Data authentication standards | European Banking Authority

Question ID: 2018_4110
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 97
Paragraph: 2
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 4
Name of institution / submitter: EPSM, European Association of Payment Service Providers for Merchants
Country of incorporation / residence: Germany
Type of submitter: Industry association
Subject matter: Data authentication standards
Question: Does a non-remote card payment transaction with a secure, dynamic data authentication of the card (DDA or higher), based on ISO/IEC 7816 (for contact cards) and ISO/IEC 14443 (for contactless card) used with a static PIN meet the requirements of Article 4 of the RTS on Strong Customer Authentication (SCA)?
Background on the question: Considering the published comments by EMVCo dated from 2016 and the EBA analysis from 2017 (see comment 272 of the Final Report of the RTS on SCA, dated 23 February 2017), EBA is asked to provide clarity that all face-to-face card transactions using the global EMV DDA or CDA standard fulfill all requirements for authentication codes of Article 4 of the Regulatory Technical Standards of Strong Customer Authentication and Common and Secure Communication.
Without such a confirmation, the practical impact would be that more than 5 000 PSPs (card issuers and acquirers) in Europa have to prove the compliance of these standards with the RTS with their own technical and legal experts individually when being audited.
While it is well understood that EBA does not see SDA being compliant with the RTS, we believe it is neither feasible nor intended to burden all European PSPs with proving that DDA and CDA is in line with RTS individually.
Submission date: 13/07/2018
Final publishing date: 20/12/2019
Final answer: The authentication of the payment card based on combined data authentication (CDA) and dynamic data authentication (DDA), as currently observed in the market, could meet the requirements of the elements categorised as possession under Article 7 of the Commission Delegated Regulation (EU) 2018/389 for non-remote card-based payment transactions.
Moreover, CDA and DDA can be used for the generation of the authentication code, which should be compliant with the requirements of Article 4 of the Delegated Regulation.
In line with the requirements of the Delegated Regulation, issuers should identify in their solutions which messages/data fields (or a combination of them) generate the “authentication code” and the dynamic element to prove the possession.
In addition, as clarified in Table 3 of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06), a static PIN could constitute a ‘knowledge’ element.
It should be noted that card set-ups designed by issuers, other than those relying on CDA/DDA, could be compliant with the requirements of the Delegated Regulation.
Finally, it should be noted that it is for each payment service provider to identify which are the authentication elements and authentication codes of their solutions and to prove that they meet the requirements of the Delegated Regulation.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer