What Knowledge elements are compatible with Strong Customer Authentication (SCA) requirements?
The following summarises the European Banking Authority (<a href="/glossarycollection/european-banking-authority" style="color:#48277C;" target="_blank" title="European Banking Authority"><u>EBA</u></a>) view on what does and does not constitute a knowledge element under the Regulatory Technical Standards (<a href="/glossarycollection/regulatory-technical-standards" style="color:#48277C;" target="_blank" title="Regulatory Technical Standards"><u>RTS</u></a>) on Strong Customer Authentication* (<a href="/glossarycollection/strong-customer-authentication" style="color:#48277C;" target="_blank" title="Strong Customer Authentication"><u>SCA</u></a>):<br/><br/>
Password;<br/><br/>
PIN;<br/><br/>
Knowledge-based challenge questions;<br/><br/>
Passphrase;<br/><br/>
Memorised Swiping Path.<br/><br/>
The following do not constitute knowledge elements:<br/><br/>
Email address or user name; card details (printed on the card);<br/><br/>
OTP generated by, or received on, a device (hardware or software token generator, SMS OTP);<br/><br/>
and,<br/><br/>
printed matrix card or OTP list.<br/><br/>
*Compliance with SCA requirements is dependent on the specific approach used in the implementation of the elements.