The EBA’s recent Opinion on the elements of strong customer
authentication under PSD2 was, apart from moving the goalposts on when SCA will
be enforced, full of interesting information about what constitutes a valid SCA
element. It closes some doors, opens others and ends any notion that merchants
can take liability and not do SCA themselves.
Taking the final point first, there’s been a view that Article 74(2) of PSD2 permits merchants to carry on without implementing SCA as long as they take liability. We at Consult Hyperion have long argued that that is an optimistic and overly legalistic reading of the regulations and this has now been confirmed. The EBA states:
In addition, even if there were a liability shift to the payee or the payee’s PSP for failing to accept SCA, as articulated in Article74(2) of PSD2, this could not be considered an alleviation of PSPs’ obligation to apply SCA in accordance with and as specified in Article 97 of PSD2.
Basically, Article 97 takes precedence – PSPs (aka Issuers)
must apply SCA so if the merchant chooses not to then rather than end up with a
payment for which they’re liable they’ll end up with no payment at all. Which,
you’d imagine, would rather miss the point of being a merchant.
Beyond this point the Opinion has lots of interest to say
about inherence, possession and knowledge elements.
On inherence two points stand out. Firstly the
Opinion unambiguously states that behavioural biometrics can be a valid factor:
this opens up a world of possible low friction SCA, and we expect to see lots
of innovation in this area. Secondly it states that 3DS-2 does not support
inherence as none of the data points being gathered relate to biological or
behavioural biometrics but – and we view this as important – 3DS-2 is a valid
means of supporting SCA.
This is critical because the dynamic linking process behind
3DS-2 is not straightforward and there have been differences of opinion over
whether this is compliant. Given that 3DS-2 appears to be the only game in town
for CNP transactions having a statement that it’s OK is mighty important.
On possession, the EBA clarifies that OTP SMS is
valid and also that mobile app based approaches can be – but only if the app is
linked to the device. We’ve been arguing that this is obviously the case for a
while, so it’s good to see this confirmed: although there are going to be a few
app developers out there that need to revise their approaches pdq (we can help,
of course!).
Also on possession the EBA has stated something that really
should have been obvious to anyone taking more than a moderate interest in the
topic – printed card details such as PAN and CVV or user ids and email
addresses are not valid possession or knowledge elements. As a number of
prominent industry players have been taking the opposite approach this could
lead to some interesting developments in the coming weeks, particularly as the
Opinion states that if the CVV is not printed on the card and is instead sent
on a separate channel, then it is a valid knowledge element.
Overall, the analysis and discussion in the Opinion on valid
SCA elements is welcome, if a trifle tardy. To be fair to the EBA, we don’t see
anything in their analysis that a proper reading of the RTS wouldn’t have
produced. However, it’s been clear for some time that many industry players
have been making a highly liberal interpretation of the requirements usually
based on a legal opinion. But PSD2 and the RTS are about principles, not rules:
if you need advice on this you need to talk to the people who understand this
stuff. Which, by the way, is us, not law firms.