Explore insights on SCA & PSD2 requirements & the EBA's role in enhancing payment security with dynamic linking by providing regulatory technical standards.
Vincent
Created: April 15, 2024
Updated: September 24, 2024
Our mission is to make the Internet a safer place, and the new login standard passkeys provides a superior solution to achieve that. That's why we want to keep you up to date on the latest developments in the industry.
Strong Customer Authentication (SCA)
3.1 Directive (EU) 2015/2366 (PSD2)
3.2 Delegated Regulation (EU) 2018/389: Regulatory Technical Standards on SCA
3.3 European Banking Authority Opinion 2018 (EBA-2018-Op-04)
3.4 European Banking Authority (EBA) Opinion 2019 (BA-Op-2019-06)
After having analyzed the historical development and technical foundation of passkeys in the previous part of our 4-part series around passkeys and their SCA compliance, we now analyze the regulatory side and look into existing legal requirements here.
We start by taking a look at the legal foundation and learn how SCA has been updated and extended continuously over time.
Recent Articles
PSD2, or Directive (EU) 2015/2366, sets the legal groundwork for stronger payment security in the EU, introducing Strong Customer Authentication (SCA) and dynamic linking to protect electronic payments. The technical details for implementing these concepts were outlined in Commission Delegated Regulation (EU) 2018/389, with updates provided by Delegated Regulation (EU) 2022/2360. While the EU Directive establishes the law with decision of the European Parliament and the European Commission specifies technical standards, the European Banking Authority (EBA) ensures consistent application across member states. Through its officially released opinions, guidelines, recommendations, and notably, the Single Rulebook Q&A, the EBA helps national regulators across EU member states in interpreting and applying these laws consistently. While EBA's outputs are not directly legally binding, they are instrumental in achieving a harmonized regulatory approach, offering detailed insights and clarifications that guide the practical implementation of PSD2's mandates on SCA and dynamic linking by market participants and national regulators.
Become part of our Passkeys Community for updates and support.
JoinThe introduction of Strong Customer Authentication (SCA) by the EU places the responsibility for unauthorized payments primarily on financial institutions rather than consumers. Under SCA, if a payment service provider does not employ SCA, the provider must cover any financial losses, barring fraudulent action by the payer. Similarly, if a payee or their payment service provider does not support SCA, they must compensate the payer's provider for any resulting damages. SCA is crucial for various transactions, including credit card and bank transfers, and is also required for user login to banking services. Dynamic linking is an additional requirement when payment transactions are initiated and signed but will not be part of this discussion. We will start with a small overview of the layers of governmental bodies.
What are the different layers of governmental input for SCA?
# | Body | Document 2015/2366 (PSD2) | Content |
---|---|---|---|
1 | EU Parliament | Directive 2015/2366 (PSD2) | Initial PSD2 |
2 | EU Commission | Delegated Regulation 2018/389 (RTS) | Further specification of the law |
3 | European Banking Authority | Opinion 2018 Opinion 2019 | Recommendations & guidelines for national regulators and market participants |
4 | European Banking Authority | Single Rulebook Q&A | Browsable Q&A of questions asked by market participants and answered by the EBA |
There are four layers that from 1 to 4 get more specific providing detailed insights how
gray areas and ambiguities should be handled. We will now go deeper into the background of SCA and go through the definitions and sources of regulations for SCA layer by layer.
The first layer of definition is the actual Directive: Article 97 Authentication of Directive (EU) 2015/2366 (PSD2) defines:
âMember States shall ensure that a payment service provider applies strong customer authentication where the payer:
and lays out in Article 98 that EBA shall:
In addition within the definitions in Article 4, three important words are laid out:
Word | Explanation |
---|---|
authentication | means a procedure which allows the payment service provider to verify the identity of a payment service user or the validity of the use of a specific payment instrument, including the use of the userâs personalized security credentials |
strong customer authentication | means an authentication based on the use of two or more elements categorized as:
|
personalized security credentials | means personalized features provided by the payment service provider to a payment service user for the purposes of authentication |
As we can see in the table above Strong Customer Authentication by means of interpreting the Directive itself does not require two factors from different categories but rather two in total. In terms of âMulti factor classificationâ, this could therefore be interpreted as 2SV (and not 2FA) when only reading the directive.
The second layer of definition was set into place by the Commission in the Delegated Regulation (EU) 2018/389 which released regulator technical standards on SCA.
SCA Factor | Regulatory Technical Standards (RTS) on SCA |
---|---|
RTS Article 6 Knowledge |
|
RTS Article 7 Possession |
|
RTS Article 8 Devices and Software linked to Inherence |
|
RTS Article 9 Independence |
|
The EBA's opinion from 13.06.2018 EBA-2018-Op-04 on the RTS for strong customer authentication and secure communication acts as a third layer of definition. While these EBA guidelines offer recommendations and serve as guidance for national regulators, they do not have the force of law. However, their guidelines are often treated as highly authoritative, making them "de facto law" in practice for the implementation of regulatory standards.
SCA Factor | European Banking Authority (EBA) opinion regarding SCA |
---|---|
All |
|
With this additional requirement EBA lifted up the SCA requirements to true 2FA requiring both factors to be from distinct categories (before it was merely 2SV).
Because of increasing uncertainty among market participants, the EBA released another opinion specifically targeting only strong customer authentication under PSD 2 on 21.06.2019 EBA-Op-2019-06:
SCA Factor | European Banking Authority (EBA) opinion regarding SCA (part of the recommendations therefore numbered) |
---|---|
Inherence |
|
Possession |
|
Knowledge |
|
Combinations | (#EBA2019.42) Approaches in which device binding to an app is used in combination with a knowledge or inherence element (e.g. some mobile wallet approaches) is considered compliant (Interesting because the can be applicable to e-commerce apps with passkeys) |
It is observable that rules have become increasingly stringent with every additional opinion from the EBA. However, commentary indicates that many implementations within Europe, under various regulators, are considered by the EBA to be non-compliant. Despite this, the EBA does not exert pressure to change the situation.
Subscribe to our Passkeys Substack for the latest news, insights and strategies.
SubscribeMoreover, the fourth layer are the Q&As which can be asked via the Single Rulebook Q&A site of the EBA. Most of the questions that were asked before the publication of the last opinion in 2019 have been integrated into the publication. Nevertheless, there are some interesting Q&As that shed some light on the thinking process of the regulators:
Are SMS OTPs RCA compliant (2018_4039)?
Yes, the possession is not the SMS itself, but rather typically the SIM-card associated with the respective number.
Can username/password login and SMS OTP be on the same device (phone) and be SCA compliant (2019_4637)?
Yes, as there is sufficient risk protection and mitigation due to âdifferent execution environmentsâ
Are native app push notifications RCA compliant (2019_4984)?
Yes, as long as sufficient measures are taken against unauthorized parties and possession of device evidenced by OTP generated or perceived is fulfilled (which is also covered by #EBA2019.25).
Even though there is obviously a lot of guidance, opinions or Q&As, no statement regarding WebAuthn or passkeys as SCA factor can be found so far.
Why Are Passkeys Important For Enterprises?
Enterprises worldwide face severe risks due to weak passwords and phishing. Passkeys are the only MFA method that meets enterprise security and UX needs. Our whitepaper shows how to implement passkeys efficiently and what the business impact is.
If you have questions, feel free to Â
contact usWe have taken a deep look how the definitions, specification and market opinions about SCA authentication methods have evolved and what the standpoint of the regulators are to understand what ruleset we have to apply to find out how what the SCA requirements mean for passkeys in our third pard of the series.
Here are the links to the other parts of our series:
Table of Contents
Enjoyed this read?
đ¤ Join our Passkeys Community
Share passkeys implementation tips and get support to free the world from passwords.
đ Subscribe to Substack
Get the latest news, strategies, and insights about passkeys sent straight to your inbox.
We provide UI components, SDKs and guides to help you add passkeys to your app in <1 hour
Start for free