EBA Makes New SCA Clarifications

November 12, 2021
<
Back
The EU’s banking watchdog has listed two new Q&amp;As regarding strong customer authentication (SCA), focusing on the travel sector and knowledge possession.

The EU’s banking watchdog has listed two new Q&As regarding strong customer authentication (SCA), focusing on the travel sector and knowledge possession.

Q&As from the European Banking Authority (EBA) regarding SCA, the last covenant of the revised Payment Services Directive (PSD2) to be implemented, have been coming thick and fast over the course of the past few years, including from trade associations, national competent authorities and credit institutions seeking clarity.

Heavily featured previously in Q&As to the banking authority, the most recent questions again focus on what constitutes possession, as well as questions related specifically to the travel sector.

Travel friction

The latter, in particular, has been known to have struggled in dealing with SCA compliance considering its tangled ecosystem. Last year, experts in the travel industry warned that the pandemic had pushed back SCA preparations by at least six months, and suggested it could take five years for complex SCA transactions to become the norm.

In the hotel industry, for example, there is a high degree of intermediation between the hotel (the merchant) and guest (a customer) through online travel agents (OTAs), as well as booking channels (e.g., hotelbrand.com) and global distribution systems (e.g., Sabre).

Depending on the channel used by the customer, it could have a different merchant identifier (MID), the unique identifiers given to businesses by their payment service providers (PSPs), from the hotel in question. This point was made in a submission to the EBA in 2019.

The most recent question asked whether the situation where SCA was made at the time of completing a hotel booking by an OTA or booking channel using their MID is still valid if the actual payment takes place later at the time of arrival by the hotel using their own MID?

The EBA confirmed that the SCA applied at the time of the booking shall allow the future-dated payment transaction to be executed. This is because the PSD2 does not specify a timeframe for the validity of an SCA.

The payment information displayed to the payer during the authentication shall include the payee, the EBA notes, adding that the authentication code shall be specific to the same payee, and agreed to by the payer.

“If the payee and the specific amount do not change, the authentication code shall remain valid,” the EBA has clarified, summarising that the PSD2 and delegated regulation do not require the payer to be made aware of third parties that are different from the payee, including intermediaries acting on behalf of the payee.

Elements of possession

Within the PSD2, and its rules on SCA, there are a tripartite of principles that need to be adhered to by PSPs.

SCA is ultimately an authentication based on the use of two or more elements, which can be categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent of one another.

This is so that the breach of one does not compromise the reliability of the others and so is designed in such a way as to protect the confidentiality of the authentication data.

Sounds simple, but what does and does not constitute SCA has been a long-running source of questions to the EBA.

In the pre-compliance hysteria in 2020, it was even mocked by the industry as “cardageddon”. The reality is there are so many different combinations and potential ways to frame the requirement.

In a question submitted in April last year, the EBA was asked whether evidence of possession (SIM card) can be verified by reading and identifying the phone number used for the phone call, as well as whether a knowledge element can be based on either the transaction history of a customer or their contact information.

In its answer published last Friday, the EBA stated that the PSD2 advises that PSPs need to apply SCA where the payer initiates an electronic payment transaction.

In addition, the PSD2 also clarifies that “all payment services offered electronically should be carried out in a secure manner, adopting technologies able to guarantee the safe authentication of the user and to reduce, to the maximum extent possible, the risk of fraud”.

Moreover, it states that there does not “seem to be a need to guarantee the same level of protection to payment transactions initiated and executed with modalities other than the use of electronic platforms or devices”, for example, with paper-based payment transactions, mail orders and telephone orders.

A previous Q&A, published earlier this year, clarified that remote non-electronic payment transactions that are initiated and executed through a mail or telephone order are considered out of the scope of the SCA requirement.

Accordingly, the payment transaction described by the submitter may fall outside the scope of the SCA requirements only if it is a non-electronic payment transaction initiated and executed with the PSP only via telephone order.

Otherwise, the application of SCA will be required.

With regard to the specific case posed by the credit institution in its question, where the staff of the PSP verifies the identity of the payment service user (PSU) over a telephone call by reading the telephone number used for the call and asking for information on the transaction history or contact information, the SCA requirements will not be met.

Although verifying the telephone number used for the call may evidence possession of the SIM-card associated with the respective telephone number, if the requirements of Article 7 of the PSD2’s delegated regulation are met, the transaction history and/or the contact details of the PSU cannot constitute a knowledge element as this information will be available to members of staff of the PSP and potentially to other parties, meaning it falls out of scope.

Accordingly, authentication based on the combination of reading the telephone number used for the call and asking for information on transaction history or contact information does not qualify as a valid two-factor authentication under the PSD2 rules.

The Q&A process

Through its Q&A process, the EBA aims to provide a service to institutions that it oversees. However, there has been some criticism of the Q&A process from some quarters.

"The process lacks consultation with stakeholders,” said Andrea De Matteis, founder of De Matteis Law, which advises multinational companies about the EU’s payments regulatory framework.

The Q&A process needs to be restructured and to create a proper consultation, he said. “The EBA needs input from consumers and the industry as the EBA answers will impact the lives of consumers and innovation.”

"With my team, I have written many of the questions asked to the EBA and can tell you that I am hesitant to ask any more questions if a proper consultation process is not created,” he warned.

De Matteis is not alone in thinking like this, either.

“I think that the EBA answers do provide clarity, but whether it’s always the right answer is another question,” said Scott McInnes, a Belgium-based partner at Bird & Bird.

For example, the EBA’s response to a question about mail and telephone orders (MOTO) was wrong, he argued. “I think they’ve essentially said that MOTO cannot be applied in relation to card-based transactions,” he said, adding that this sounds contrary to recital 95 of the PSD2.

McInnes pointed out that his firm has on occasion advised clients not to submit certain questions to the EBA. When they have, they have sometimes regretted submitting the question in the first place, he said, noting an answer earlier this year about whether SCA of the merchant is required on a refund.

VIXIO has contacted the EBA for comment.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

To read more articles like this, along with gaining access to the tools that will help you navigate compliance risk with confidence, request a demo of our RegTech platform today.

Related articles

March 14, 2025

Regulatory Influencer: European Union's Approach to ICT Incident Reporting

In recent weeks, the European Commission has published two significant regulations under the Digital Operational Resilience Act (DORA) which will contribute towards firms’ compliance efforts, standardising reporting of major ICT-related incidents and cyber threats. The first, Commission Delegated Regulation (EU) 2025/301, sets out technical standards for the content and timing of mandatory incident reports and voluntary cyber threat notifications. It sets out classification criteria, reporting deadlines and required details, such as impact assessments, remediation efforts and communication with authorities. Meanwhile, Commission Implementing Regulation (EU) 2025/302 provides standardised templates, forms and procedures for reporting. This regulation mandates uniform reporting formats, secure submission channels and requirements for complete and updated information. Both regulations, published in the Official Journal of the EU, took effect on March 11, 2025, 20 days after entering the statute book.
Read article
March 14, 2025

Week In Crypto: US Stablecoin Battle Heats Up As House, Senate Reintroduce Bills

Although US lawmakers appear to be aligned on the need for federal stablecoin legislation, they are no closer to an agreement on which bill should prevail and what provisions it should include.
Read article

Opt in to hear about webinars, events, industry and product news

Gambling Compliance

Learn more

Payments Compliance

Learn more
Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
Contact us
No items found.
No items found.
European Union

Please choose your preferred
service to log in to.

GamblingCompliance
PaymentsCompliance
Don’t have an account?