Much of the payments industry has been taxed greatly by the issue of both interpreting and implementing compliance with the prescriptive requirements of the PSD2 SCA RTS. The deadline for compliance with these requirements is 14 September 2019. However, as a consequence of the many questions received by the EBA, they have issued an Opinion to provide guidance on what in their view will and will not amount to strong customer authentication for the purposes of PSD2.
The Opinion gives examples of what, in their view, will and will not amount to each of the elements of SCA: these include that,
- for ‘inherence’, vein recognition will satisfy this element, but information transmitted using a communication protocol, such as EMV 3-D secure, will not;
- for ‘possession’, card evidenced by a card reader will be acceptable, but card with possession evidenced by the card details printed on the card, will not;
- for ‘knowledge’, a passphrase will be compliant, but an email address or user name will not be.
They also have announced that competent authorities may decide to allow additional time to payment service providers to ensure that their processes and procedures comply with these requirements (as clarified by this Opinion). However, this grace period will be conditional on PSPs having:
- set up a migration plan
- agreed the plan with their competent authority, and
- be ready to execute the plan in an expedited manner.
The EBA will closely monitor the consistency of implementation of secure customer authentication across the EU, and take action where inconsistencies are identified despite Opinions issued.