Wearables enabling NFC payments are now more and more popular. The biggest players of the electronic and mobile market are presenting new iterations of their smartwatches and smartbands each year. A significant question was asked to EBA by the Swedish Banking Association: “Is the PIN entered when the cardholder takes on wearable device on, still valid as a knowledge element for one or several transactions later the same day, if it can be ensured that the device has not been taken off?”
The answer is quite complex, but can be summed up by simply saying – currently used biometrical technology allows for it, however the commercially used devices don’t.
According to the EBA in cases where:
- a PIN is entered when the cardholder takes on a wearable device on the plus
- it can be ensured that the device has not been taken off
- PIN (the ‘knowledge’ element), can be potentially reused within the same session, provided that a unique authentication code is generated for each transaction. However, according to the EBA the locking mechanism on wearables simply does not ensure that its user remains in the same session, which would require communication to be established between the user and her/his payment service provider and for the user to maintain that session open by actively using the wearable device for initiating payment transactions.
In other words - the wearable user will have to re-enter PIN separately for each payment transaction carried out after the previous session (confirmed with PIN) has expired.
The above does not exclude the option to use exemptions of strong customer authentication under Articles 11 – 18 of the Delegated Regulation 2018/389.