top of page

What Possession elements are compatible with Strong Customer Authentication (SCA) requirements?

The following summarises the European Banking Authority (<a href="/glossarycollection/european-banking-authority" style="color:#48277C;" target="_blank" title="European Banking Authority"><u>EBA</u></a>) view on what does and does not constitute a possession element under the Regulatory Technical Standards (<a href="/glossarycollection/regulatory-technical-standards" style="color:#48277C;" target="_blank" title="Regulatory Technical Standards"><u>RTS</u></a>) on Strong Customer Authentication* (<a href="/glossarycollection/strong-customer-authentication" style="color:#48277C;" target="_blank" title="Strong Customer Authentication"><u>SCA</u></a>):<br/><br/>

Possession of a device evidenced by an OTP generated by, or received on, a device (hardware or software token generator, SMS OTP);<br/><br/>

Possession of a device evidenced by a signature generated by a device (hardware or software token);<br/><br/>

Card or device evidenced through a QR code (or photo TAN) scanned from an external device;<br/><br/>

App or browser with possession evidenced by device binding — such as through a security chip embedded into a device;<br/><br/>

Card evidenced by a card reader;<br/><br/>

Card with possession evidenced by a dynamic card security code;<br/><br/>

App installed on the device.<br/><br/>

The following do not constitute possession elements:<br/><br/>

card with possession evidenced by card details (printed on the card);<br/><br/>


Card with possession evidenced by a printed element (such as an OTP list).<br/><br/>

*Compliance with SCA requirements is dependent on the specific approach used in the implementation of the elements.

bottom of page