Single Rulebook Q&A

Question ID: 2018_4052
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 97
Paragraph:
Subparagraph:
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Art. 4
Type of submitter: Other
Subject matter : EMV cards and EMV terminals supporting online authentication
Question:

Is there a need for Europay, MasterCard, Visa (EMV) cards and EMV terminals supporting online authentication in compliance with the RTS to support also offline authentication?

Background on the question:
This question relates to the practical application of the RTS to EMV cards and EMV terminals supporting online authentication in the context of a contact EMV transaction.
 
Most EMV terminal types are online with offline capabilities. Online authentication means that cards are authenticated in real-time by the issuer. More specifically, the card generates a dynamic application cryptogram and the transaction is always sent online to the issuer for validation. The issuer authorises the transaction only if the dynamic application cryptogram and the PIN are valid.
 
Conversely, offline authentication uses data from the card to allow the terminal to authenticate the card. There are three levels of offline authentication: (1) Static Data Authentication (SDA), (2) Dynamic Data Authentication (DDA), and (3) Combined Data Authentication (CDA). Offline authentication is used when it is not possible to send the transaction online in real-time to the issuer (e.g., transit).
 
Some EMV terminals (for example ATMs) are online only and do not support offline authentication. In this case, the infrastructure is a real-time online only environment. It is not possible to authenticate the transaction offline. This means that the card generates a dynamic application cryptogram and the transaction is always sent online to the issuer for validation. The issuer authorises the transaction only if the dynamic application cryptogram and the PIN are valid.
EMV cards supporting online only authentication do not allow transactions offline.
 
We believe that there is no need for contact EMV cards and EMV terminals that allow only for online authentication to be changed. This is because the RTS do not require EMV cards and EMV terminals to support also offline authentication if they already support an online authentication that is compliant with the RTS.
Date of submission: 28/06/2018
Published as Final Q&A: 26/10/2018
EBA answer:

The Commission Delegated Regulation (EU) 2018/389 does not specify whether in the case of card payments, payment cards and terminals should support offline authentication. Further, this Regulation does not distinguish between online and offline authentication, therefore the requirements regarding Strong Customer Authentication (SCA) apply irrespective of the operating framework. This means that Payment Service Providers (PSPs) shall apply SCA to all electronic payment transactions (including dynamic linking for remote transactions), unless they choose to apply an exemption (for instance the exemption for unattended terminals for transport fares and parking fees in Article 12 of the Regulation). The decision, whether EMV cards and EMV terminals support offline authorisation, in addition to online authorisation, is up to the respective payment services providers. However, if they choose to use also an offline environment, this has to support SCA, as long as the environment is not exclusively used for payments to which an exemption under the RTS apply.

Status: Final Q&A
Permanent link: link