Is a single Strong Customer Authentication (SCA) sufficient for transactions performed in staged wallet solutions? Does the funding transaction qualify as a transaction initiated by the payee only, which does not require SCA by the Account Servicing Payment Service Providers (ASPSP)?
The CDR does not contain specific provisions for wallet solutions. Difficulties arise in the ‘staged’ wallet scenario, where in principle there are two transactions that would require SCA (unless exemptions apply):
1. one for the funding of the wallet, where the wallet provider, acting as a merchant, pulls the funds from the consumer’s funding instrument (e.g. a credit card) and places it in the consumer’s wallet;
2. another one for the payment transaction to the payee, where the wallet operator transfers the funds to the ultimate merchant’s wallet account.
The funding transaction should be considered as a transaction initiated by the payee only, which means that it does not require SCA by the ASPSP, provided that the initial addition of the funding instrument to the wallet was securely performed using SCA by the ASPSP - this can be likened to the setting-up of a direct-debit mandate, so subsequent transactions would be payee-initiated.
The second element of the transaction, i.e. the transfer of funds to the payee, would be subject to SCA by the wallet provider (unless an exemption applies).
This would significantly simplify the consumer experience and avoid customer confusion, who would avoid having to go through two separate authentication processes within such a short timeframe for the same transaction.
Today, this applies mainly in a scenario where the wallet is funded by a credit card. However, in the future, and with the rise of instant payments, other types of funding instruments will develop and should be considered.
Article 97(1)(b) of Directive 2015/2366/EU (PSD2) states that Member States shall ensure that a payment service provider (PSP) applies strong customer authentication (SCA) where the payer initiates an electronic payment transaction.
As stated in Q&A 2018_4031, card-based payment transactions are considered as payment transactions initiated by the payer through the payee and thus fall under Article 97(1)(b) PSD2.
Q&A 2018_4131 clarified that payments that are based on a (standing) agreement between a customer and a merchant, according to which the customer authorises the merchant to initiate subsequent transactions in relation to the agreed delivery of goods or services, can be considered as payee initiated transactions, provided that these payments are not dependent on a specific action of the payer to trigger the initiation of the payment by the payee.
Accordingly, in the case of payment transactions initiated via a staged wallet, where the payer has registered a payment card as a funding source, SCA needs to be applied to the payment transactions initiated by the payer, unless an exemption under the Commission Delegated Regulation (EU) 2018/389 applies.
Therefore, in the cases where the PSP that operates the wallet (wallet provider) has issued personalised security credentials to the payment service user (PSU), SCA should be applied to both transactions, unless an exemption under the Delegated Regulation applies. First, the PSP that has issued the payment card should apply SCA to the funding transaction. Then, the wallet provider should apply SCA to the payment transaction to the merchant.
In the specific case where the funding transaction is initiated by the wallet provider based on a (standing) agreement between the PSU and the wallet provider, the funding transaction can be considered as transaction initiated by the payee, provided that all conditions set out in Q&A 2018_4131 are met.
Finally, in line with Q&A 2019_4827, SCA should be applied at the time of the issuance of the token (the initial addition of the funding payment instrument) in accordance with Article 97(1)(c) of PSD2.