When an issuer delegates strong customer authentication (SCA) to a third-party (e.g. a smartphone manufacturer), what are the requirements for such delegation? Should the issuer conduct an evaluation of the technical features and security of third-party’s devices and solutions?
According to Article 9 of the Commission Delegated Regulation (EU) 2018/389, payment service providers (PSPs) shall ensure that the use of the elements of strong customer authentication (SCA) is subject to measures which ensure that, in terms of technology, algorithms and parameters, the breach of one of the elements does not compromise the reliability of the other elements. It further provides that PSPs shall adopt security measures,
where any of the elements of SCA or the authentication code itself is used through a multi-purpose device, to mitigate the risk which would result from that multi-purpose device being compromised. The mitigating measures shall include each of the following:
(a) the use of separated secure execution environments through the software installed inside the multi-purpose device;
(b) mechanisms to ensure that the software or device has not been altered by the payer or by a third party;
(c) where alterations have taken place, mechanisms to mitigate the consequences thereof.
Issuers may use third party technology, such as a smartphone fingerprint reader, to support SCA and to ensure they fulfill all the security measures established in the Delegated Regulation. Furthermore, PSPs may outsource the execution of SCA to a third party. In that case, said PSPs should comply with the general requirements on outsourcing, including the requirements in the EBA Guidelines on Outsourcing arrangements (EBA/GL/2019/02).
However, it should be noted that the responsibility for compliance with SCA cannot be outsourced from PSPs to third parties and that PSPs remain fully responsible for the compliance with the requirements in the Delegated Regulation. In particular, PSPs should make sure that the technical service provider has a satisfactory level of security and that it applies the mitigating measures in accordance with Article 9 of the Delegated Regulation.
Finally, in accordance with Article 3 of the Delegated Regulation, PSPs should ensure that the implementation of the security measures is documented, periodically tested, evaluated and audited in accordance with the applicable legal framework of the PSP by auditors with expertise in IT security and payments and operationally independent within or from the PSP. This may include carrying out security evaluations of devices or applications (such as the referred Mobile Payment Application) from third parties.