Community

My understanding and the interpretation of the current legal framework on this matter is that there is more than one way of fulfilling SCA. What is certain from the law is that there must be two different and independent elements for the initial authentication stage. The initial authentication stage should produce an authentication code. The tricky part is how you put that authentication code in to use as it is not clear from the law. It is unclear whether the consumer must put in the authentication code himself or whether the payment initiator gets the code and lets the payment to proceed. If it is the first option, then OTP would be the only way around, once the two elements are confirmed. But if it is the second option then we can use the existing method of chip and pin and we do not need the OTP. But nevertheless, OTP could replace the pin code in the second scenario.

I believe it is the second scenario that will be applied, and thus the consumers will not need to insert the authentication code.

Yes, you are right in saying OTP can be one of the elements, but it would be the ‘possession’ element and not the ‘knowledge’ based element. A pin or multi-use passwords are knowledge-based elements because it is something you and only you know. OTP is based on the devices you have, and you will not know the one-use password if you don’t have the laptop or the phone, therefore it is a ‘possession’ based element.

If it is the first scenario, then I agree, it does not make sense to put another security layer on chip and pin type of transactions which are considered safe already.

Thank you for the article, it seems very fascinating. however, my belief is that you have misinterpreted the RTS with the point 3. RTS states that PIS Providers have the right to rely on the authentication procedures provided by the ASPSP to the user and in such cases, the authentication procedure will remain fully in the sphere of competence of the ASPSP.

This part only bears the meaning that there is an extra right for the PISPs to use the SCA provided by the banks. It does not state anything about the PISPs not being to have their SCA mechanism. There would be no point of having PISPs if they would have the only way of referring to banks for initiating the payment service, doing something they were created to do.

The 3DS 1.0.2 does not necessarily satisfy the requirements for the PSD2. PSD2 requires two different elements, 3DS 1.0.2 might request two same elements, for example, two passwords, which both are something we know. Can you expand on how 3D Secure satisfies the requirements of strong consumer authentication?