Is the PIN entered when the cardholder takes on wearable device on, still valid as a knowledge element for one or several transactions later the same day, if it can be ensured that the device has not been taken off?
On 26 October 2018, the EBA answered question Q&A 2018_4049 “Is persistent authentication for wearable devices compliant with the RTS?”.
We seek further clarification on this issue. One reason for the ambiguity of the answer is the ambiguity of the question. In the question the submitter refers to “persistent authentication” and the way that the background is formulated, the reader can be made to belief that wearable devices today have a biometric way of uniquely identifying the individual wearing the device through heartbeat or pulse. Although such biometrics are technically possible, there is presently no commercial implementation of such a wearable device – it would simply be too expensive.
What the wearable devices that are on the market today do, is that they request the cardholder to enter his/her PIN when cardholder takes on the device. Then there is a locking mechanism that continuously measures that there is a pulse – i.e. to ensure that the device is not taken off. However, the device does not identify the individual’s pulse, there is no biometrics involved.
The elements used in these devices to authenticate the customer are therefore:
1. the tokenised card in the wearable (possession);
2. PIN (knowledge), not entered at the time of payment initiation but at an earlier point in time – we therefore refer to this as “delayed” or “deferred” PIN.
The relevant question is therefore, if the PIN entered when the cardholder took the device on, is still valid as a knowledge element for one or several transactions later the same day, if it can be ensured that the device has not been taken off?
If the answer is “Yes”, it means that the wearable device can be used to initiate several transactions without any other action from the cardholder than the tap on the terminal with the device, and this would constitute an strong customer authentication (SCA) transaction.
If the answer is “No”, it means that the mere tap the terminal with the device would not constitute SCA, and could therefore only be used to initiate low-value transactions which qualifies for the contactless exemption (Article 11). For transactions that require SCA a separate PIN entry, either on the wearable device or on the terminal, in direct connection with initiating the individual transaction, would be required.
Article 97(1) of Directive 2015/2366/EU (PSD2) requires payment service providers (PSPs) to “apply strong customer authentication where the payer:
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.”
Article 4(30) of PSD2 defines strong customer authentication (SCA) as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”.
Q&A 2018_4141 clarified that when initiating a payment, within the same session in which SCA was performed to access account data, one of the authentication elements used at the time the customer accessed its payment account online (including via a mobile app) can be reused in compliance with Article 4 of the Commission Delegated Regulation (EU) 2018/389, provided that the other element of SCA is carried out at the time the payment is initiated and the dynamic linking element required under Article 97(2) PSD2 (in the case of remote payment transaction) is present and linked to that latter element.
In line with the principle set out in Q&A 2018_4141, one of the authentication elements, in the case described by the submitter, the ‘knowledge’ element, can be reused within the same session, provided that a unique authentication code is generated for each transaction and the other requirements of Articles 4-7 and 9 of the Delegated Regulation are met. However, in the example provided by the submitter, the locking mechanism described does not ensure that the payment service user remains in the same session, which would require a communication to be established between the payment service user and the payment service provider and for the payment service user to maintain that session open by actively using the device for initiating payment transactions and/or accessing their payment account. This means that the payment service user will need to reinsert the PIN for each payment transaction carried out after the initial session has expired.
The above is without prejudice to the possibility for the PSP to decide to make use of an exemption from the application of SCA under Articles 11 – 18 of the Delegated Regulation, such as the contactless payments at point of sale exemption.
Q&A 2019_4827 provides further details on the use of tokenised version of the card details as a possession element.