BT-REQ-3972 PSD3 Impacts v6(without crop marks) RL - Flipbook - Page 18
18
HL | PSD3 Impacts
10. Strong Customer
Authentication
(SCA)
(PSR Arts 85–89)
Overview
The proposed PSR confirms the extent
to which SCA might apply to instruction
channels that may also expose the PSU to a
risk of fraud (e.g. MOTO, contactless, paperbased).
AISP access will be permitted for 180 days
following the initial SCA without requiring
further SCA to be performed (unless there are
fraud concerns).
SCA elements no longer need to be from
different categories (i.e. it could rely on two
knowledge elements).
PSPs’ SCA solutions must also cater for
persons with disabilities, older persons,
with low digital skills and those who do not
have access to digital channels or payment
instruments, by ensuring that these (and
all other) customers have at their disposal
at least a means, adapted to their specific
situation, which enables them to perform
SCA. In this regard, the performance of SCA
cannot be made dependent on the possession
of a smartphone. PSPs should develop a
diversity of means for the application of SCA
to cater for the specific situations of all their
customers.
Use of third parties to provide and verify
elements will be considered outsourcing.
What is changing?
SCA elements do not necessarily need to belong to
different categories (e.g. knowledge, possession,
inherence), provided independence is fully
preserved.
Paper-based and MOTO transactions are not inscope
of SCA requirements, provided the relevant security
checks and requirements that are performed by the
PSP allow another form of authentication of the
payment transaction to occur.
An AISP will be able to access an account for 180
days following the initial SCA without the customer
needing to repeat it (unless there are fraud
concerns).
Contactless payments that rely on payer proximity
will be subject to SCA or ‘harmonised security
measures of identical effect that ensure the
confidentiality, authenticity and integrity of the
transaction amount and payee’.
Where technical service providers provide and
verify the elements of SCA, PSPs must enter into
an outsourcing agreement under which the PSP
retains regulatory liability and has the right to
audit and control security provisions.
Accessibility requirements require PSPs to
develop ‘a diversity of means’ for the application
of SCA to cater for the specific situations of all
their customers. Non-digitally savvy/non-digital
customers must have at least a means, adapted
to their specific situation, which enables them to
perform SCA. SCA cannot depend on access to a
smartphone.
The EP Text deletes the requirement for an
outsourcing agreement, referring instead to new
RTS on this subject which it expects to reflect
EBA guidelines.
