The European Banking Authority (EBA) has clarified the need for 'strong ('two-factor') customer authentication' (SCA) for payment cards in digital wallets. This can be confusing for online retailers and technology service providers (as well as for payment card issuers and acquirers). If you need help with any aspect of the rules or exemptions on SCA, please get in touch.
In its six regulatory FAQs, the EBA explains that:
- When adding a payment card to a digital wallet, a digital 'tokenised' of the card is created within the wallet, so SCA is required due to the risk of fraud or other abuses. This allows the payment service provider (PSP) to verify remotely that the rightful cardholder is adding the card; and associates the cardholder with the device and the digitised version of the card.
- The payment card issuer must apply SCA when adding the card to a digital wallet (and when replacing a previous digitised version of the card). The issuer is also responsible for ensuring that the cardholder can use their personalised security credentials as the means of authentication; and that adequate security measures are in place to protect the confidentiality and integrity of those credentials.
- Unlocking a mobile device with biometrics or a PIN/password is not a valid element for SCA purposes, unless the screen locking mechanism of the device is also controlled by the card issuer.
- The initiation of payment transactions with the digitised version of the card in the digital wallet also requires SCA, unless the issuer applies one of seven specific exemptions.
- Card issuers can outsource the SCA process to a third party service provider (having complied with the EBA Guidelines on Outsourcing arrangements), but the issuers remain fully responsible for regulatory compliance.
If you need help with any aspect of the rules or exemptions on SCA under the current Payment Service Directive (PSD2), please get in touch.