Ecommerce Europe co-signs a letter to the European Banking Authority on the RTS on SCA and authentication factors


The European Payment Institutions Federation,  together with Ecommerce Europe, Digital Europe,  Eurocommerce  and  Merchants  Risks Council, sent a  joint letter to the European Banking  Authority  on 25 October regarding the  Regulatory Technical Standards for strong customer authentication (“SCA”) and common and secure open standards of communication (“RTS”) under PSD2. 

The letter addresses the industry’s concerns as regards to  the definition of authentication factors as defined in the Opinion of the European Banking Authority on the implementation of the RTS (EBA-Op-2018-04) published on 18 June 2018. 

According to the EBA, given that knowledge is defined as ‘something only the user knows’, the card number with CVV and expiry date printed on the card cannot be considered a knowledge element. This is also the case for a user ID. For a device to be considered possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device. 

This interpretation represent an important challenge for the industry, since it entails the  deployment of  new authentication methods before 14 September 2019, and the pace at which consumer will have access to and adapt to these new methods is uncertain.  

The co-signatories  strongly appeal to the EBA to revise their opinion to keep card number and CVV as a valid authentication factor and phase it out within the next three years to allow time for the industry to deploy alternative authentication methods without disrupting payments. 

For more information on the position of Ecommerce Europe, you can consult our new   White paper on the RTS on SCA.