Token your payment card as part of a “strong authentication”?
Tokenization allows to replace the payment card number with another sequence of digits – a token, i. e. a digital asset using blockchain technology. You can assign multiple tokens to a card, which you can use by dedicating a given token to a particular device or channel.
Strong authentication, on the other hand, is the type of user authentication used for some operations that ensures the confidentiality of the user’s data based on at least two out of three elements:
- knowledge of something that only the user knows,
- possession of something that only the user knows,
- user’s characteristics.
The question the EBA has asked itself is: Can a token created as a result of the card tokenization process be considered as an element of ‘strong authentication’ belonging to the ‘possession’ category?
The analysis has led the EBA to the following conclusions: as such, possession can concern individualised encryption keys generated for a token or cardholder. Possession can also be understood in an abstract way and also apply e. g: to the specification of an algorithm generated specifically for a particular user.
Thus, a tokenized payment card that meets the relevant technical standards is an element of „strong authentication”.
See more: https://eba.europa.eu/single-rule-book-qa/-/qna/view/publicId/2019_4827
DKP Legal
