top of page

What Knowledge elements are compatible with Strong Customer Authentication (SCA) requirements?

The following summarises the European Banking Authority (<a href="/glossarycollection/european-banking-authority" style="color:#48277C;" target="_blank" title="European Banking Authority"><u>EBA</u></a>) view on what does and does not constitute a knowledge element under the Regulatory Technical Standards (<a href="/glossarycollection/regulatory-technical-standards" style="color:#48277C;" target="_blank" title="Regulatory Technical Standards"><u>RTS</u></a>) on Strong Customer Authentication* (<a href="/glossarycollection/strong-customer-authentication" style="color:#48277C;" target="_blank" title="Strong Customer Authentication"><u>SCA</u></a>):<br/><br/>

Password;<br/><br/>

PIN;<br/><br/>

Knowledge-based challenge questions;<br/><br/>

Passphrase;<br/><br/>

Memorised Swiping Path.<br/><br/>

The following do not constitute knowledge elements:<br/><br/>

Email address or user name; card details (printed on the card);<br/><br/>

OTP generated by, or received on, a device (hardware or software token generator, SMS OTP);<br/><br/>

and,<br/><br/>

printed matrix card or OTP list.<br/><br/>

*Compliance with SCA requirements is dependent on the specific approach used in the implementation of the elements.

bottom of page