The six Q&As clarify the application of SCA to the enrolment of a payment card to a digital wallet and to the initiation of payment transactions with digitised versions of a payment card. They also clarify the requirements applicable to the outsourcing of the application of SCA to digital wallet providers.
Starting with the enrolment of a payment card to a digital wallet, Q&A 5622, for example, clarifies that this process leading to the creation of a token/digitised version of the payment card the requirement of SCA. By applying SCA, the payment service provider (PSP) verifies remotely that the payment service user (PSU) is the rightful user of the payment card and associates the PSU and the digitised version of the payment card with the respective device.
Q&A 6141 had already clarified that the PSP that has issued the payment card (the issuer) is required to apply SCA when adding a payment card to a digital wallet and is responsible for providing the respective SCA elements to the PSU. The issuer is also required to ensure that adequate security measures are in place to protect the confidentiality and integrity of PSU’s personalised security credentials.
Turning to outsourcing, the Q&As, overall, clarify that issuers may outsource the provision and verification of the elements of SCA to a third party (e.g. by concluding contractual arrangements with the third party), such as a digital wallet provider, in compliance with the general requirements on outsourcing, including the requirements of the EBA Guidelines on Outsourcing arrangements. However, the responsibility for compliance with the SCA requirements cannot be outsourced and issuers remain fully responsible for the compliance.
When it comes to the initiation of electronic payment transactions, Q&A 5622 clarifies that the initiation of transactions with the digitised version of the payment card also requires the application of SCA under PSD2, unless one of the specific exemptions from the application of SCA set out in the RTS on SCA&CSC applies.
Finally, Q&A 6145 clarifies that the unlocking of a mobile phone with biometrics (e.g. a fingerprint) or with a PIN/password cannot be considered a valid SCA element for the purpose of adding a payment card to a digital wallet, if the screen locking mechanism of the mobile device is not a process under the control of the issuer. Q&A 6464 further clarifies that the issuance of a new token, replacing a previously existing one, and binding it to a device/user also requires the application of SCA.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now