The European Payment Institutions Federation, together with Ecommerce Europe, Digital Europe, Eurocommerce and Merchants Risks Council, sent a joint letter to the European Banking Authority on 25 October regarding the Regulatory Technical Standards for strong customer authentication (“SCA”) and common and secure open standards of communication (“RTS”) under PSD2.
The letter addresses the industry’s concerns as regards to the definition of authentication factors as defined in the Opinion of the European Banking Authority on the implementation of the RTS (EBA-Op-2018-04) published on 18 June 2018.
According to the EBA, given that knowledge is defined as ‘something only the user knows’, the card number with CVV and expiry date printed on the card cannot be considered a knowledge element. This is also the case for a user ID. For a device to be considered possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device.
This interpretation represent an important challenge for the industry, since it entails the deployment of new authentication methods before 14 September 2019, and the pace at which consumer will have access to and adapt to these new methods is uncertain.
The co-signatories strongly appeal to the EBA to revise their opinion to keep card number and CVV as a valid authentication factor and phase it out within the next three years to allow time for the industry to deploy alternative authentication methods without disrupting payments.
For more information on the position of Ecommerce Europe, you can consult our new White paper on the RTS on SCA.