Are EMV (Europay, MasterCard, Visa) transactions (for which the application cryptogram is not enciphered during its transmission) compliant with the RTS on strong customer authentication?
With EMV card transactions, the card generates an application cryptogram during a transaction. This cryptogram is sent to the card issuer in online authorization and clearing messages, and can be verified by the issuer to confirm the legitimacy of the transaction. Article 22 of the RTS appears to imply that the application cryptogram should be kept confidential as it states: “Payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication”. However the EMV application cryptogram is not required to be protected in terms of confidentiality and this does not detract from the overall security provided by EMV transactions.
In our view, EMV transactions for which the application cryptogram is not enciphered during transmission are compliant with the RTS.
In accordance with Article 22(1) of the Commission Delegated Regulation (EU) 2018/389 payment service providers are required to “ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication”.
In that regard, in the case where the issuer uses a cryptogram, which contains personalised security credentials, including authentication codes, the issuer would need to protect the confidentiality and integrity of the respective personalised security credentials in accordance with Article 22 of the Delegated Regulation, including during the transmission of the cryptogram. This also applies when the cryptogram is used as an authentication code.
The issuer is responsible for ensuring compliance with the requirements of Article 22 of the Delegated Regulation.