Tokens for securing transactions

Recent regulatory changes have made strong-factor authentication mandatory for digital wallets, but there is still confusion as to what this means in practice

Simon Deane-Johns, consultant in corporate law at Ogier Leman: ‘Card issuers can outsource the SCA [strong customer authentication] process, but they remain fully responsible for regulatory compliance’

With the growth in popularity of digital wallets it is no surprise that compliance in the area has begun to grow more complex. In order to protect consumers from fraud and hacking, a variety of techniques have been advanced in recent years. From a regulatory point of view, however, the European Union has settled on one specific requirement.

In a recent statement, the European Banking Authority (EBA) clarified the need for ‘strong (’two-factor’) customer authentication’ (SCA) for payment cards held in digital wallets.

However, this can be confusing for online retailers and technology service providers, as well as for payment card issuers and acquirers, said Simon Deane-Johns, consultant in corporate law at Ogier Leman.

In its six regulatory FAQs, the EBA explains that, when adding a payment card to a digital wallet, a digital ‘tokenised’ version of the card is created within the wallet, so SCA is required due to the risk of fraud or other abuses.

This, it said, allows the payment service provider (PSP) to verify remotely that the rightful cardholder is adding the card; and associates the cardholder with the device and the digitised version of the card.

Deane-Johns said that this means the payment card issuer must apply SCA when adding the card to a digital wallet, as well as when replacing a previous digitised version of the card.

Their responsibilities do not end there, though.

“The issuer is also responsible for ensuring that the cardholder can use their personalised security credentials as the means of authentication; and that adequate security measures are in place to protect the confidentiality and integrity of those credentials,” he said.

What some may not realise is that the act of unlocking a mobile device with biometrics, a PIN or password is not considered a valid element for SCA purposes, unless the screen locking mechanism of the device is also controlled by the card issuer.

In addition, the initiation of payment transactions with the digitised version of the card in the digital wallet also requires SCA,

“Unless the issuer applies one of seven specific exemptions,” Deane-Johns said.

It is important to note, Deane-Johns said, that while working with a third party is allowed, it does not absolve card issuers of their responsibilities.

“Card issuers can outsource the SCA process to a third party service provider, if that partner has complied with the EBA Guidelines on Outsourcing arrangements, but the issuers remain fully responsible for regulatory compliance,” he said.