Question ID:
2018_4054
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
22
Disclose name of institution / entity:
No
Type of submitter:
Other
Subject Matter:
Confidentiality of the application cryptogram for EMV transactions
Question:

Are EMV (Europay, MasterCard, Visa)  transactions (for which the application cryptogram is not enciphered during its transmission) compliant with the RTS on strong customer authentication?

Background on the question:

With EMV card transactions, the card generates an application cryptogram during a transaction. This cryptogram is sent to the card issuer in online authorization and clearing messages, and can be verified by the issuer to confirm the legitimacy of the transaction. Article 22 of the RTS appears to imply that the application cryptogram should be kept confidential as it states: “Payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication”. However the EMV application cryptogram is not required to be protected in terms of confidentiality and this does not detract from the overall security provided by EMV transactions.

In our view, EMV transactions for which the application cryptogram is not enciphered during transmission are compliant with the RTS.

Date of submission:
28/06/2018
Published as Final Q&A:
20/12/2019
EBA Answer:

In accordance with Article 22(1) of the Commission Delegated Regulation (EU) 2018/389 payment service providers are required to “ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication”.

In that regard, in the case where the issuer uses a cryptogram, which contains personalised security credentials, including authentication codes, the issuer would need to protect the confidentiality and integrity of the respective personalised security credentials in accordance with Article 22 of the Delegated Regulation, including during the transmission of the cryptogram. This also applies when the cryptogram is used as an authentication code.

The issuer is responsible for ensuring compliance with the requirements of Article 22 of the Delegated Regulation.

Status:
Final Q&A