EBA has published some additions to its Q&As on PSD2, which clarify its stance on the application of the PSD2 SCA requirements in relation to cards held in digital wallets. The questions confirm that the addition of a card to a wallet absolutely requires SCA as it leads to a token or digitised version of the payment card. While issuers can outsource certain related functions (in compliance with relevant EBA guidelines) they cannot outsource the responsibility for SCA. Further questions clarify that initiation of transactions with the card also requires SCA, and that unlocking a phone with a biometric measure or a PIN cannot be a form of SCA unless it is under the control of the issuer. Finally, it confirms that SCA must be applied when an expired token is replaced.
