But EBA says one-time SMS codes are not enough
The European Banking Authority (EBA) has published a new opinion on the Secure Customer Authentication (SCA) regulations scheduled to come into force this September. In a view that has caught many by surprise, the EBA says that those approaches that simply rely on One Time Passcodes (OTPs) sent by SMS do not actually comply with the new rules.
Under the terms of the revised Payments Services Directive (PSD2) the new regulations will require all online transactions over €30 to be authenticated using an SCA-compliant process.
The SCA rules allow for transactions to be authenticated by any combination of two of three compliant elements. These elements are classified as knowledge: something the person knows; possession: something the person has; or inherence: something the person is, typically proven by something like a fingerprint scan to verify identity. At least two of these elements are due to be required from September to authorise any online transaction of more than €30.
The EBA’s latest opinion also says that the ‘knowledge’ element of the process cannot simply be the card details and security number printed on the customer’s debit or credit card. Furthermore, it says that a One Time Passcode (OTP) sent to a user’s mobile phone via SMS cannot be used to indicate both knowledge (of the Passcode) and possession (of the mobile). That code can only be used as an indicator of one element.
Therefore, this ruling means that all those retail or transaction sites asking users to complete their card details online before sending an SMS to authenticate the transaction are not compliant with the new regulations.
The EBA does, however, endorse those approaches where the OTPs can only be accessed after triggering two separate elements of authentication. Therefore, a bank provided card reader that requires the user to insert their card and enter a PIN or scan a biometric to generate an OTP code is compliant because it always uses at least two of the elements to generate the code.
Onescan’s frictionless approach also takes a device you possess – your smartphone – to trigger a patented secure payment process via an app or web app (zero-download solution). Because the transaction is then authorised by a knowledge element (PIN), or by an inherence element (biometric), Onescan fully meets the new regulations as defined by the EBA. With Onescan, there’s also no need for customers to pre-download any app, we can initiate the payment process simply using the smartphone camera.
Paragraph 42 of the EBA’s opinion confirms Onescan’s compliance, while paragraph 43 confirms that OTPs via SMS are not enough by themselves. And with the countdown to the implementation of the new rules approaching fast, the EBA’s opinion has really thrown many of those working on solutions a real curveball late in the planning process. The EBA did explain that sufficient notice of the new rules was given - considering that the PSD2 SCA definition was published in 2015 – but it did also provide some scope for extension stating in its opinion:
“The EBA, therefore, accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, national competent authorities may decide to work with PSPs and relevant stakeholders - including consumers and merchants - to provide limited additional time. This is to allow issuers to migrate to authentication approaches that are compliant with SCA, and acquirers to migrate their merchants to solutions that support SCA.”
That’s potentially good news for those thinking that it’s time to go back to the drawing board but there is no need to panic. Onescan offers PSPs and retailers a quick and easy integration path today that delivers an omnichannel solution for transactions which will meet all the SCA rules.
Contact us for more information or to get in touch to discuss how we could quickly help meet all your requirements.
Go to the article on the EBA website
Or download in PDF format here.