Could Signature on a paper slip from a payment terminal, be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?
EBA responded to a question about signature as authentication factor in connection to its “Final Report Draft RTS” of 23rd February 2017, Comment (273) -4), by saying “The EBA is of the view that it complies with the requirements under the RTS, including the presence of a dynamic element.”
The way the question is formulated it is unclear if the answer relates to a signature on a paper slip or a signature on a digital device, or both. It is also unclear to us what EBA means with “presence of a dynamic element” in this context.
We think EBA should elaborate on the requirements for capture and comparison of signature. The question of digital capture of a signature must be addressed separately from the issue of capture of signature on a paper slip. With regard to capture on a pa-per slip, there is need to address the typical way this is captured today, i.e. on a paper slip from a payment terminal, which is only saved by the merchant (the payee) for ref-erence in case the transaction is disputed, and is therefore not captured in any direct or indirect way by the payer’s PSP, i.e. the issuer.
Article 4 of Directive 2015/2366/EU (PSD2) defines ‘knowledge’ as ‘something only the user knows’, ‘possession’ as ‘something only the user possesses’ and ‘inherence’ as ‘something the user is’.
Paragraph 34 of the EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication (SCA) and common and secure communication, EBA-Op-2018-04, states that behavioural biometrics may constitute inherence providing they comply with the requirements under Article 8 of the Commission Delegated Regulation (EU) 2018/389.
However, for approaches currently observed in the market where the merchant compares the signature of the payer on a paper slip with the signature on the card, a signature on a paper slip cannot be considered as a behavioural biometric as it would not meet the requirements of Article 8 of the Delegated Regulation, since the signature is not being read by access devices and software provided to the payer and the issuer cannot verify the payer’s signature as part of the authentication process.
In addition, a signature on a paper slip does not constitute ‘knowledge’ as this is not something only the user knows or ‘possession’ as this is not something that the user possesses. Therefore it cannot be considered as a valid factor in a two-factor SCA under PSD2 and the Delegated Regulation.