Question ID:
2019_4560
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
Paragraph:
1
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
24 (1) (2)
Disclose name of institution / entity:
Yes
Name of institution / submitter:
BPER Banca
Country of incorporation / residence:
Italy
Type of submitter:
Credit institution
Subject Matter:
SCA profiles and multiple-use of devices
Question:

Can multiple users use the same device (i.e. smartphone) and have different strong customer authentication (SCA) profiles on the same device?

Background on the question:

Article 24 of Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication only explains that "Payment service providers" shall ensure that only the payment service user is associated, in a secure manner, with the personalised security credentials, the authentication devices and the software.

Article 24 does not say anything about multiple use of devices.

"Article 24 - Association with the payment service user

1.   Payment service providers shall ensure that only the payment service user is associated, in a secure manner, with the personalised security credentials, the authentication devices and the software.

2.   For the purpose of paragraph 1, payment service providers shall ensure that each of the following requirements is met:

(a) the association of the payment service user's identity with personalised security credentials, authentication devices and software is carried out in secure environments under the payment service provider's responsibility comprising at least the payment service provider's premises, the internet environment provided by the payment service provider or other similar secure websites used by the payment service provider and its automated teller machine services, and taking into account risks associated with devices and underlying components used during the association process that are not under the responsibility of the payment service provider;

(b) the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication."

Date of submission:
19/02/2019
Published as Final Q&A:
25/09/2020
EBA Answer:

Article 24(1) of the Commission Delegated Regulation (EU) 2018/389 provides that ‘payment service providers shall ensure that only the payment service user is associated, in a secure manner, with the personalised security credentials, the authentication devices and the software’. Paragraph 2, letter ‘b’ of the same article continues by specifying that ‘the association by means of a remote channel of the payment service user's identity with the personalised security credentials and with authentication devices or software is performed using strong customer authentication.’

In line with the requirements of Article 24 of the Delegated Regulation only a single payment service user can be associated, at a time, with the personalised security credentials, the authentication devices and/or software. This does not preclude, however, the use of the same authentication device and/or software by multiple payment service users having different SCA profiles when supported by the device and/or software.

Status:
Final Q&A