Question ID:
2018_4110
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
Paragraph:
2
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
4
Name of institution / submitter:
EPSM, European Association of Payment Service Providers for Merchants
Country of incorporation / residence:
Germany
Type of submitter:
Industry association
Subject Matter:
Data authentication standards
Question:

Does a non-remote card payment transaction with a secure, dynamic data authentication of the card (DDA or higher), based on ISO/IEC 7816 (for contact cards) and ISO/IEC 14443 (for contactless card) used with a static PIN meet the requirements of Article 4 of the RTS on Strong Customer Authentication (SCA)?

Background on the question:

Considering the published comments by EMVCo dated from 2016 and the EBA analysis from 2017 (see comment 272 of the Final Report of the RTS on SCA, dated 23 February 2017), EBA is asked to provide clarity that all face-to-face card transactions using the global EMV DDA or CDA standard fulfill all requirements for authentication codes of Article 4 of the Regulatory Technical Standards of Strong Customer Authentication and Common and Secure Communication.

Without such a confirmation, the practical impact would be that more than 5 000 PSPs (card issuers and acquirers) in Europa have to prove the compliance of these standards with the RTS with their own technical and legal experts individually when being audited.  

While it is well understood that EBA does not see SDA being compliant with the RTS, we believe it is neither feasible nor intended to burden all European PSPs with proving that DDA and CDA is in line with RTS individually.

Date of submission:
13/07/2018
Published as Final Q&A:
20/12/2019
EBA Answer:

The authentication of the payment card based on combined data authentication (CDA) and dynamic data authentication (DDA), as currently observed in the market, could meet the requirements of the elements categorised as possession under Article 7 of the Commission Delegated Regulation (EU) 2018/389  for non-remote card-based payment transactions. 

Moreover, CDA and DDA can be used for the generation of the authentication code, which should be compliant with the requirements of Article 4 of the Delegated Regulation.

In line with the requirements of the Delegated Regulation, issuers should identify in their solutions which messages/data fields (or a combination of them) generate the “authentication code” and the dynamic element to prove the possession.

In addition, as clarified in Table 3 of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06), a static PIN could constitute a ‘knowledge’ element.

It should be noted that card set-ups designed by issuers, other than those relying on CDA/DDA, could be compliant with the requirements of the Delegated Regulation.

Finally, it should be noted that it is for each payment service provider to identify which are the authentication elements and authentication codes of their solutions and to prove that they meet the requirements of the Delegated Regulation.

Status:
Final Q&A