- Question ID
-
2018_4054
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
22
- Type of submitter
-
Other
- Subject matter
-
Confidentiality of the application cryptogram for EMV transactions
- Question
-
Are EMV (Europay, MasterCard, Visa) transactions (for which the application cryptogram is not enciphered during its transmission) compliant with the RTS on strong customer authentication?
- Background on the question
-
With EMV card transactions, the card generates an application cryptogram during a transaction. This cryptogram is sent to the card issuer in online authorization and clearing messages, and can be verified by the issuer to confirm the legitimacy of the transaction. Article 22 of the RTS appears to imply that the application cryptogram should be kept confidential as it states: “Payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication”. However the EMV application cryptogram is not required to be protected in terms of confidentiality and this does not detract from the overall security provided by EMV transactions.
In our view, EMV transactions for which the application cryptogram is not enciphered during transmission are compliant with the RTS.
- Submission date
- Final publishing date
-
- Final answer
-
In accordance with Article 22(1) of the Commission Delegated Regulation (EU) 2018/389 payment service providers are required to “ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication”.
In that regard, in the case where the issuer uses a cryptogram, which contains personalised security credentials, including authentication codes, the issuer would need to protect the confidentiality and integrity of the respective personalised security credentials in accordance with Article 22 of the Delegated Regulation, including during the transmission of the cryptogram. This also applies when the cryptogram is used as an authentication code.
The issuer is responsible for ensuring compliance with the requirements of Article 22 of the Delegated Regulation.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.