EBA clarifies the application of strong customer authentication requirements to digital wallets

The European Banking Authority (EBA) published three Q&As that, jointly with three other Q&As that the EBA had published previously, clarify comprehensively the application of strong customer authentication (SCA) to digital wallets under the revised Payment Service Directive (PSD2).
The six Q&As provide clarification on how SCA is applied when a payment card is added to a digital wallet and when payment transactions are started using digitized versions of a payment card. They also make clear the conditions that apply to outsourcing the SCA application to companies that offer digital wallets.
Q&A 5622: Is strong customer authentication (SCA) required when a Payment Service Provider (PSP) issues a payment instrument or creates a token?
Q&A 6145: Does the authentication to unlock the mobile device count as one of the elements of strong customer authentication when a payment service user is tokenising a card on an e-wallet solution such as Apple Pay?
Q&A 6464: Is SCA required for the replacement of a tokenized card happening in the background without any ‘action by the payer’ under Article 97(1)(c) PSD2 in the following cases:
1. Expiry of the token and update of the token
2. Replacement of the card, and the new card has a different BIN/Account Range (e.g., for product graduation, such as standard to gold, or simple BIN management) and/or different functionalities
3. Technical and/or configuration changes to the issuer’s BIN configuration (such as migrating from 6 to 8 digit BINs)
In all these cases, the existing tokenized credentials have been initially associated with SCA to the user under Article 24(2)(b) RTS, and this is solely a technical replacement of the token.
credentials have been initially associated with SCA to the user under Article 24(2)(b) RTS, and this is solely a technical replacement of the token.
Q&As published previously:
Q&A 4047: When an issuer delegates strong customer authentication (SCA) to a third-party (e.g. a smartphone manufacturer), what are the requirements for such delegation? Should the issuer conduct an evaluation of the technical features and security of third-party’s devices and solutions?
Q&A 4827: In relation to card tokenisation that can be used for the purposes of various payment solutions, does the token that is created from the card details qualify as a “possession element” according to the strong customer authentication (SCA) requirements?
Q&A 6141: Should strong customer authentication (SCA) elements always be issued under control of the Account service Payment Services Provider (ASPSP)?