The European Banking Authority (EBA) clarifies a number of issues in the regulatory technical standards (RTS) on strong customer authentication.
The EBA had the delegated authority under the revised payment services directive (PSD2) to develop a number of RTS. Market participants and competent authorities have sought further clarification on various areas with the RTS on strong customer authentication and secure standards of communication, which apply from 14 September 2019.
The EBA published an opinion to assist in implementation. Unlike EBA-issued guidelines, such opinion papers do not have to undergo a public consultation and are subject to change.
Strong customer authentication is defined in the PSD2 as “an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent.”
The opinion clarifies that payment service providers (PSPs) need to devise an authentication method that uses two elements
from different categories. For example, one element categorised as knowledge (e.g. a password) and one as inherence (e.g. fingerprints).
Given that knowledge is defined as “something only the user knows”, the card number with CVV and expiry date printed on the card cannot be considered a knowledge element.
The EBA also clarifies that for a device to be considered a possession element, there needs to be a reliable means to confirm possession through the generation of a receipt of a dynamic validation element on the device.
One-time passcodes sent via SMS are not explicitly allowed or disallowed within the RTS. The EBA opinion paper does not clarify the position.
WHO CAN TRIGGER AN EXEMPTION?
Up until now, merchants have been in the driving seat with regard to payment authentication. The international card schemes have offered liability shifts and incentives to encourage use of 3D Secure. However, adoption and liability for fraudulent or disputed payments have largely been decided contractually between the merchant and their acquirer. The authentication model is now changing from opt-in to opt-out.
The EBA makes clear that “strong customer authentication applies to all payment transactions initiated by a payer, including card transactions initiated by a payer.” Certain exemptions and white listing are available. So, one of the most hotly debated points is who can trigger an exemption?
With regard to the exemptions set out in articles 10 to 18 of the RTS, it is the PSP who issues the personalised security credentials (the card issuer for a card payment) that determines whether or not to apply an exemption. This function can be outsourced to a third party, in which case liability would be determined by the contract between the parties.
However, the EBA seems to suggest that the payee’s PSP (the card acquirer) may request or recommend certain exemptions. For example, those set out in article 11 (contactless payments at POS), article 12 (unattended terminal for transport and parking), article 14 (recurring transactions), article 16 (low-value transactions) and article 18 (transaction risk analysis) as shown in the table.
The footnote makes clear that the ultimate decision to accept or apply an exemption always rests with the payer’s PSP (the issuer). The issuer may wish to revert to apply strong customer authentication to execute the transaction if technically feasible or decline it. By implication, a payee’s PSP (the acquirer) can only recommend or request an exemption.
The EBA clarifies that fraud for the purpose of transaction risk analysis (TRA) statistics will be attributed to whichever PSP has liability for the transaction. By implication, a common-sense reading of the EBA opinion would mean that fraud statistics are assigned to acquirers not merchants in the case of
THE PUSH AND PULL OF PAYMENT
The situation with regard to recurring payments on cards is generally unclear within the RTS. Direct debits as payee-initiated transactions are considered out of scope of the regulation. But what about similar pull payments set up on cards? Beyond the first payment in the series, these are payee-initiated. The amount may also change depending on consumption during a given period in the case of a utility, streaming-on-demand or mobile phone subscription.
The opinion paper explicitly states that the payee’s PSP (the acquirer) cannot apply a white-listing exemption and that a payee cannot have a list for this purpose (e.g. cards on file).