Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Art. 4, paragraph 3
Disclose name of institution / entity:
Type of submitter:
Subject Matter:
Display of incorrect authentication factors in case of failed authentication attempts

For remote card transactions, may the user be informed of the incorrect authentication factor in case of a failed authentication attempt provided this does not increase the risk of fraud (e.g. for in-app transactions)?

Background on the question:

Article 4(3)(a) RTS requires that, if the authentication has failed to generate an authentication code, the identification of the incorrect authenticating factor must be impossible. This requirement can result in a poor user experience, as it was outlined in relation to Face-to-Face (F2F) payments during the EBA consultation on the draft RTS of August 2016. Some participants requested the EBA that "the current model of transaction failure feedback for card transactions, i.e. “wrong PIN message” should be kept to avoid confusion for the payer and payee” (Question 5, page 49 of the Feedback Table annexed to the final draft RTS of February 2017). As a result of the consultation, F2F transactions have been excluded from the scope of this requirement. In our view, a pragmatic interpretation would be that not only F2F but also remote card transactions should be excluded from the scope of this requirement if this does not increase the risk of fraud. For example, with in-app transactions, the card is tokenized. The token is an ownership factor that is embedded in the device (or stored in the cloud). Thus, the token can never be an ‘incorrect’ authenticating factor (unless a technical error occurs). The incorrect factor is necessarily the other one (i.e., the fingerprint or the OTP). Informing the user of this does not increase the risk of fraud and would result in an improved customer experience.

Date of submission:
Published as Final Q&A:
EBA Answer:

In accordance with Article 4(3)(a) of the Commission Delegated Regulation (EU) 2018/389Payment service providers shall ensure that the authentication by means of generating an authentication code includes each of the following measures: (a) where the authentication for remote access, remote electronic payments and any other actions through a remote channel which may imply a risk of payment fraud or other abuses has failed to generate an authentication code for the purposes of paragraph 1, it shall not be possible to identify which of the elements referred to in that paragraph was incorrect”.

Accordingly, payment service providers should not provide any indication on which element was incorrect.

Final Q&A