Card number, CVV, expiry date are not knowledge elements – or maybe they are?

Authenticating a credit card transaction by submitting the card number with CVV and the expiry date in conjunction with a PIN or a one-time password submitted via SMS or pushTAN is a process that is widely used by credit card users and has been offered by payment service providers for several years. However, as with most other payment methods, credit card payments will as from 14 September 2019 also be subject to the rules on SCA in the SCA RTS, which would require two out of the three elements “knowledge”, “possession” and “inherence”.

The EBA has taken the view that – given that knowledge is defined as ‘something only the user knows’ – the card number with CVV and expiry date printed on the card (credit card details) cannot be considered a sufficient knowledge element. In the EBA’s view, this should also apply to the possession element considering that card number, CVV and expiry date cannot be considered a reliable means to confirm possession.

Is the interpretation by the EBA the only possible one under the SCA RTS? And what impact does the interpretation by EBA in the EBA Opinion for the card industry?

The knowledge element

The knowledge element is defined in PSD2 as something that only the payer knows. Thus, it must be kept private from third persons. Consequently, SCA RTS require PSPs and the payer to take measures in order to mitigate the risk of the knowledge element being made available to unauthorised third persons. On the other hand, elements would not qualify as a knowledge element that are designated as available to third persons. This includes, for example, IBAN, which the payer must submit to third persons in order to receive payments by way of, for instance, a SEPA credit transfer.

The credit card details are only used in order to initiate a payment transaction, but are, however, visible for third persons whenever the payer uses the card. This would be the case in a POS transaction as well as when a card is provisioned onto a mobile device. It could therefore be questionable to argue that the card issuer has taken sufficient risk mitigation measures to prevent that the card details are available to third persons, although such interpretation does not seem to be incompatible with the wording of the SCA RTS.

The possession element

The possession element refers to something that only the user possesses. PSPs shall adopt measures to mitigate the risk that the elements of SCA categorised as possession are used by unauthorised parties and the use by the payer of those elements shall be subject to measures designed to prevent replication of the elements. As one can easily write down and thereby replicate the card details, it is difficult to argue that such card details would constitute a possession element.

‘Layered approach’

However, it has to be borne in mind that SCA rules in the SCA RTS follow a ‘layered approach’ which considers multiple dynamic factors in addition to the static card details, such as behaviour factors taken into consideration alongside biometric (inherence) or possession authentication.

Therefore, it can be argued that, provided sufficient behavioural characteristics have been taken into account and that sufficient risk mitigation is in place, card number, expiry date and CVV can be considered knowledge. In other words, it should be possible that the ‘strength’ of one particular factor (and further risk mitigation measures) can compensate for the ‘weakness’ of one other factor, such as the card details as knowledge element. Consequently, static card credentials which utilise a ‘layered approach’ in addition to the use of a one-time passcode could be sufficient for the requirements of SCA, provided that (in addition to a clearly separate factor) sufficient risk mitigation has been put in place.

Alternatively, the use of dynamic CVVs could also constitute a possession element and could fulfil the SCA requirements if combined with a second separate factor.

Provided that rates of unauthorised transactions resulting from a particular authentication method are very low, this would support the position that the knowledge element is also sufficiently kept safe.

EBA Opinion binding for PSPs?

EBA has based its opinion on Article 29 of the EBA Regulation. Issuing opinions is a tool that the EBA may use to build a common EU supervisory culture and consistent supervisory practices throughout the Union. However, opinions published by the EBA are generally “just” opinions and national supervisory authorities are not bound to implement such opinions into their administrative practices. Therefore, the EBA Opinion would only be binding if an EU member state adopted this approach in its national law or if its national supervisory authorities implemented this approach in their national administrative practices.

Does this mean that the EBA Opinion means nothing? At least from a practical perspective, the answer is “no”. The EBA is accepted as an important authority in the EU and although their opinions might not be formally binding for the national supervisory authorities, such authorities have in the past quite often adopted the EBA’s publications in their administrative practice. At least, national authorities are likely to very diligently take EBA’s opinion into consideration when establishing their own administrative approach. BaFin has, for instance, taken the same view as the EBA even prior to the publication of the EBA opinion.

What to do?

Market participants should in particular monitor the reactions of the national authorities with regard to the EBA Opinion. It should also be taken into account that the EBA has made a general assessment as to whether card details may serve as a knowledge or possession element. The EBA has, however, not made an assessment on particular solutions that include further risk mitigation measures. One should therefore consider submitting solutions for assessment to the EBA that could fulfil the SCA requirements based on a ‘layered approach’.