We consider the authentication solution based on (1) card data, (2) SMS OTP and (3) EMV 3DS behaviour-based inherence information compliant with the requirements of PSD2 SCA. This method of authentication has proved to be effective, secure and considerably convenient for users worldwide. There is a significant number of banks and financial institutions who are currently considering the adoption of this solution in order to be compliant with PSD2.

The three components of the aforementioned authentication solution correspond to three different categories of authentication elements, namely: Knowledge (card data), Ownership (SMS OTP) and Inherence (EMV 3DS). They are independent from each other and, therefore, they can be used in pairs in compliance with PSD2. Card data (Knowledge) is significantly more complex and considerably longer than a common static password or a PIN-code.

Furthermore, it includes different pieces of data – card number, expiry date and CVC, which makes it impossible for the card data to be simply guessed and very unlikely to be stolen by a fraudulent software. Anyone who possesses a card is required to keep it secure and private, thus shifting the liability for the protection of the data to the client, much like with a regular password, only notably more complex than that.

An additional password requirement would only cause frustration without significantly improving the security of the payments. In addition, in the recent years we have been witnessing a gradual transition to fully contactless payments, which makes it impossible to capture card data.

Mobile payments are also on the rise, which provides no opportunities for card data leakage. EMV 3DS (Inherence) provides behaviour-based inherence information generated on the basis of more than 130 data points that provide a significant level of uniqueness. The data points include elements which identify the cardholder’s location, spending habits and transaction history, as well as the devices they use, which is enough for issuers to authenticate cardholders correctly.

The practice in recent years has shown that each of these two types of authentication provides more security than a single piece of data, such as a PIN-code or a password (knowledge) or even an OTP generated by a physical device in the possession of the cardholder (possession). For example, an issuer can authenticate a card holder with a very high degree of certainty if recurring purchases are made from the same device and location and are shipped to the same address. This set of circumstances provide for a much more secure and reliable authentication compared to the use of a single piece of authentication information.

In Questions 28 and 32 of the European Banking Authority’s Feedback Table, EBA has recognised that the behaviour-based information may constitute a valid inherence authentication element under PSD2. Furthermore, the EBA has confirmed this view in its Opinion on the implementation of the RTS from June 2018.

Issuers will remain responsible for determining if it is appropriate to select EMV 3DS behaviour-based information as a valid inherence authentication element in itself or as support for the risk analysis and monitoring associated with a transaction under the RTS.

This decision will have regard for the risk profile of the transaction, the information transmitted through EMV 3DS and the reliability of the behaviour-based information obtained (in terms of minimizing false positives and the chances of replication).

Please consider the fact that if it were not for the introduction of authentication through (1) card data (2) SMS OTP and (3) EMV 3DS behaviour-based inherence information, hundreds of millions of European consumers would still need to remember a password in addition to having to put in their card details when making a purchase. The introduction of a password requirement will lead to high abandonment rates, massive complaints by customers for not being able to shop online, and an overall frustration throughout the European online markets.

As the representative body of the FinTech sector in Member State B, we have the ability to observe the trends in the sector, as well as the user behaviour. Therefore, we are concerned that the introduction of an additional authentication method such as a PIN-code, would hinder the development of the financial services provided by the companies in the sector, since the customers who utilize them are used to the high level of comfort and accessibility of the services. It is expected that such a measure will disincentivise users to continue using the services of Fintech companies who operate with online payments.