EBA grants merchant extensions for SCA
Written by Peter Walker
The European Banking Authority (EBA) has published an opinion on Strong Customer Authentication (SCA) under the second Payment Services Directive (PSD2), acknowledging that implementing the new standards might be difficult for some merchants, with many being at risk of missing the deadline.
The statement was a response to continued industry queries as to which authentication approaches the EBA considers to be compliant with SCA, and addresses concerns about the preparedness and compliance of some stakeholders in the payments chain ahead of the 14 September deadline.
The EBA explained that sufficient time has been available for the industry to prepare for the application date of SCA, given that the definition had been set out when PSD2 was published in 2015, giving clear indications that existing authentication approaches would need to be phased out.
However, the EBA also acknowledged the complexity of the payments markets across the EU and the challenges arising from the changes that are required, in particular by those that are not Payment Service Providers (PSPs) and, therefore, not directly subject to PSD2 and the EBA's technical standards – such as e-merchants.
“The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, national competent authorities may decide to work with PSPs and relevant stakeholders - including consumers and merchants - to provide limited additional time,” read the opinion. “This is to allow issuers to migrate to authentication approaches that are compliant with SCA, and acquirers to migrate their merchants to solutions that support SCA.”
This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with regulators, and will execute the plan in an expedited manner.
The EBA stated that later this year it will communicate deadlines by which merchants given an extension will have to have completed their migration plans.
Chris Stephens, head of banking solutions at Callsign, said the extension stems from ambiguity around what authentication methods would be considered compliant, and problems with many companies who currently rely solely on the human policy manager - knowledge siloed to a few IT group team members - to accomplish these regulatory needs.
“In the opinion, the EBA has given additional guidance around the inherence element, which now includes keystroke dynamics, as typing and swiping patterns, and the angle at which a phone user holds their device,” he explained.
“Although this additional information is welcome, the EBA also says that these methods can only be used ‘provided that the implemented approaches provide a very low probability of an unauthorised party being authenticated as the payer’ – again, the ambiguity persists, as ‘very low’ can be interpreted differently depending on the individual reading it.”
SCA is defined in PSD2 as an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.