It is important to clarify that a unique identification ticket used in PKI solutions, such as mobile identification based on security module on a SIM-card, fulfils the requirement of a code that is accepted only once.

It is essential to link the requirements to the eIDAS Regulation so that eIDAS Level of Assurance 3 (substantial) always fulfils the criteria for SCA according to the articles 97 and 98 of PSD2.

There is an evident need for exemptions from SCA in order to guarantee that there is a possibility to use one-click payments for low-value transactions. It is of greatest importance that the threshold values are applied in coherent manner. On the proposal, there are different limits for contactless payments and electronic payments. The limits proposed in article 8.2 point (d) should be the same as in para 1 point b, i.e. 50 euros and 150 euros or, alternatively, the same as used in the PSD2 article 42, including the option to double the amounts for national payments. This would bring coherence to regulatory environment. It can be confusing also to users of payment services to have a great number of differing threshold values.

Additionally, payments for voice-based services that exceed the limits meant in article 3 of PSD2, point (l), are in the scope of the requirement of SCA according to article 97 of PSD2. It is very challenging to incorporate SCA to voice-based services as it would seriously compromise user experience.

It should be kept in mind that substantial share of electronic payments are carried out via mobile phones. According to the EU and national telecoms regulations and practice users of mobile phones have a duty of care to protect their devices by PIN numbers in order to avoid unauthorised usage. Due to this practice, a lost mobile phone is not as likely to be used for unauthorised payments as a lost credit card allowing contactless payments.

Yes we do. It is not clear from article 74.2 of PSD2 that payment service is not liable if it does not employ SCA in cases where an exemption according to article 98 is applicable or, furthermore, would be prevented from using SCA. It should be clarified in the RTS that PSPs are not liable when they are exempted or prevented from using SCA according to the RTS. Otherwise the risk position of service providers offering low-value payments may become too challenging, which may have very negative impact for European micro payment market.

Website certificates can be deployed here as e-IDAS provides common European standards for certificates.

FiCom, Finnish Federation for Telecommunications and Teleinformatics represents Finnish telecoms and IT industry. Finnish mobile operators provide their users both eID and mobile payment services.