.svg)
The European Banking Authority (EBA) has published a new set of Q&As just days after a previous release clarifying the application of strong customer authentication (SCA) requirements for use with digital wallets.
The latest batch of answers from the EBA look at the enrolment of payment cards to a digital wallet, use of virtual cards and the outsourcing of SCA to digital wallet providers.
The answers come hot on the heels of four other answered questions published on Friday (January 27).
Submitted in November 2020, one question asked whether the process of creating a token and/or digitised version of a payment card requires the application of SCA.
According to the poster, this is because it is an action that may imply the risk of fraud or other abuses.
By applying SCA, the payment service provider (PSP) remotely ensures that the payment service user (PSU) is the rightful user of the payment card and associates the PSU and the digitised version of the payment card with the respective device.
A previous question that was answered by the EBA in December 2021 had already clarified that the PSP that has issued the payment card (the issuer) is required to apply SCA when adding a payment card to a digital wallet and is responsible for providing the respective SCA elements to the PSU.
The issuer is also required to ensure that adequate security measures are in place to protect the confidentiality and integrity of PSU’s personalised security credentials.
Regarding outsourcing, the EBA has clarified in the Q&As that issuers may outsource the provision and verification of the elements of SCA to a third party.
For example, this could be through the conclusion of contractual arrangements with the third party, such as a digital wallet provider, in compliance with the general requirements on outsourcing, including the requirements of the EBA’s own Guidelines on Outsourcing arrangements.
However, the responsibility for compliance with the SCA requirements cannot be outsourced and so issuers remain fully responsible for the compliance with the requirements in the revised Payment Services Directive (PSD2) and the regulatory technical standards (RTS) on SCA.
In response to an anonymous question submitted in November 2020, the EBA said that the initiation of transactions with the digitised version of the payment card also requires SCA, unless it qualifies as an SCA-exempt payment, such as those that are merchant initiated.
Another question that was posed by a credit institution in November 2020 querying whether unlocking a mobile phone with biometrics, such as a fingerprint or with a PIN/password, could be considered a valid SCA element for the purpose of adding a payment card to a digital wallet was answered in the negative by the EBA.
According to the regulator, it cannot be considered compliant if the screen locking mechanism of the mobile device is not a process under the control of the issuer.
Meanwhile, an answer to a question from May 2021 further clarifies that the issuance of a new token, replacing a previously existing one, and binding it to a device/user also requires the application of SCA.
Going forward, the EBA has nine more Q&As to respond to regarding PSD2.
