- Question ID
-
2018_4235
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
98
- Paragraph
-
1
- Subparagraph
-
(a)
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
7
- Name of institution / submitter
-
Swedish Bankers’ Association
- Country of incorporation / residence
-
Sweden
- Type of submitter
-
Industry association
- Subject matter
-
Ability of static card data to be considered a possession factor?
- Question
-
Can static card data (Card number PAN + cardholder name +Exp. Date + static CVV2/CVC2) be considered a as a possession factor, and if so: is it strong enough to be a valid factor in a 2-factor Strong customer authentication (SCA)?
- Background on the question
-
In its Opinion on the implementation of the RTS on SCA and CSC (EBA-Op-2018-04), the EBA explained that simple card data (Card number PAN + cardholder name +Exp. Date + CVV2/CVC2) cannot be considered a knowledge element. However, many would consider this data to rather be an element of possession, as also the physical card is an element of possession. The CVV2/CVC2 was originally intro-duced to establish that the actual physical card had at some point in time been in-volved in the initiation of the card-based payment – e.g. that it is not just a computer-generated card number under an issuer BIN.
- Submission date
- Final publishing date
-
- Final answer
-
Article 4(30) of Directive 2015/2366/EU (PSD2) defines ‘possession’ as “something only the user possesses”.
Paragraph 28 and Table 2 of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06) clarified that card details and card security code that are printed on the card cannot constitute a valid possession element for the approaches currently observed on the market since the requirements of Article 7 of the Commission Delegated Regulation (EU) 2018/389 would not be met.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.