EBA recently provided a clarification on the usage of tokenized card data as possession element for SCA.

While physical card details are not considered as a valid element, EBA recently clarifies that tokenized card data may constitute a valid possession element for Strong Customer Authentication.

Tokenization is the process of protecting sensitive data (Card Data) by replacing it with a unique algorithmically generated number called a token that has less exploitable value.

An interesting security feature of tokens is the domain restriction that provides purchase control under specific merchant’s categories, geographies, with a defined life span, and a maximum purchase amount for example. Tokens therefore significantly improve payments controls and ensure a much higher payment security level overall. 

Besides, the process of tokenization can bind the cardholder and the token to a trusted device. This case for digital wallets leverages device-bound tokens where the token is unique to a specific device and a cardholder. It will then not be possible to replicate the token and use it to make purchases on a different device.

In order to verify the identity of the cardholder and ensure a secure end-to-end process, the association of the token with the cardholder and the cardholder’s device should also require SCA. 

Therefore, based on the above, tokenization could satisfy EBA requirements to :

– provide evidence that the payer is in possession of the digitized version of the card 

– as well as to mitigate the risk the token is used by unauthorized parties and prevent replication of the element

Tokenization may qualify as ‘something only the payer possesses’ even in a non-physical from provided that it is controlled only by cardholder.

EBA also recognized that tokenization may be carried out by the issuer “directly or indirectly (e.g. through an outsourcing agreement with a third party, i.e. a token requestor such as a wallet provider in the case of digital wallets or a merchant in the case of cards on file).”

Therefore, this could be interpreted as recognizing that not only ‘device-bound’ tokens (e.g., Google Pay and alike), but also ‘not device-bound’ tokens (e.g., Card on File tokens) may qualify as ‘possession’.  

Overall, this EBA clarification highlight the increasing importance of payment tokenization. This will have significant impact as tokens are used in various payment solutions such as digital wallet with device-bound tokens as well as Card on File and Secure Remote Commerce with none device-bound tokens as mentioned above.

For example, it would be now possible for desktop purchases using tokenized Card on File (none device-bound token) with cardholder in session to leverage the token (possession) and a PIN (knowledge) for the 2 SCA elements when smartphone biometrics identification is not possible.

Also, in conjunction with Delegated Authentication that larger online merchants should be considering using, the ‘Card on File token initiated with SCA’ as a separate factor could become the possession element for SCA under PSD2. 

Would you like to know more on how to leverage tokenization for your SCA implementation, please contact us.