The European Banking Authority (EBA) published on its website Q&As that, jointly with other previously published Q&As, are to clarify the application of strong customer authentication (SCA) to digital wallets under the amended Payment Service Directive (PSD2).
The EBA clarified the application of SCA to the registration of a payment card in a digital wallet and to the initiation of payment transactions using digitised versions of a payment card, as well as the requirements for outsourcing of the application of SCA to digital wallet providers.
For example, as regards the enrolment of a payment card to a digital wallet, it was clarified that the process leads to the creation of a token/digitised version of the payment card and requires the application of SCA under Article 97(1)(c) of PSD2, because it is an action that may be associated with the risk of fraud or other abuses. By applying SCA, the payment service provider (PSP) verifies remotely whether the payment service user (PSU) is the rightful user of the payment card and associates the PSU and the digitised version of the payment card with the respective device.
Another Q&A clarifies that the PSP that has issued the payment card is required to apply SCA when adding the payment card to a digital wallet and is responsible for providing the respective SCA elements to the PSU. The issuer is also required to ensure appropriate security measures to protect the confidentiality and integrity of PSU’s personalised security credentials.
As regards outsourcing, the Q&As clarify that issuers may outsource the provision and verification of elements of SCA to a third party (e.g. by concluding contractual arrangements with the third party), such as a digital wallet provider, in accordance with the general requirements on outsourcing, including the requirements of the EBA Guidelines on outsourcing arrangements. However, the responsibility for compliance with the SCA requirements must not be outsourced and issuers remain fully responsible for compliance with the requirements in the PSD2 and the Regulatory Technical Standards (RTS) on SCA&CSC.
Source: https://www.eba.europa.eu/eba-clarifies-application-strong-customer-authentication-requirements-digital-wallets