The original requirement to use an independent communication channel for SCA has been abandoned, how can integrity and authenticity be managed in its absence on a single channel?
In earlier standards, such as the Guidelines on internet payments security from 2015, the requirement is not only that two authentication elements out of three should be verified, but that these two elements should be verified through two separate communication channels. An example of how this worked in practice is a PC web browser based transaction is validated with a text message received on a separate mobile phone.<br/><br/>
With PSD2 the EBA is probably taking the market trend towards single device payments into account in allowing single device and single channel transactions.<br/><br/>
The requirements here are that the authentication elements ([possession], [inherence] and [knowledge]) are verified in a [separate execution environment] together with the [confidentiality], [integrity] and [authenticity] of the transaction. This puts large demands on payment service providers for the technical implementation of their SCA solutions. The specific requirements are detailed in paragraph 5 of the RTS, which discusses Dynamic Linking.