Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Type of submitter:
Credit institution
Subject Matter:
Contactless payments at point of sale - Applications of the conditions

What activity can be considered a proper application of strong customer authentication according to the Article 11 Paragraph b of the Commission Delegated Regulation (EU) 2018/389?

Background on the question:
We need to specify list of activities which are able to reset 150 € limit or 5 transaction limit for the card.
Currently, we allow contactless transactions without strong authentication (PIN) for a cumulative limit of xxx € for x-days period (no CVM). This limit is divided into two parts.
First part is dedicated for the offline authorizations (in chip), when this limit is exceeded, the online authorization (in our host) is required, where the second part of this limit is set (online).
When the maximum amount for the offline authorizations is exceeded, the authorization (such as contactless payment) is declined. In such a case client gets a standard decline message which does not contain any information on why was the transaction declined nor that it is still possible to authorize the transaction as a contact transaction (with a PIN).
Date of submission:
Published as Final Q&A:
Final Answer:

The exemption under Article 11 of the Commission Delegated Regulation (EU) 2018/389 applies to contactless electronic payment transactions at point of sale, where strong customer authentication (SCA) does not apply. When the cumulative monetary amount or the maximum number of transactions without SCA is reached, the limit will be reset at the next non-remote payment transaction, contactless or not, where SCA is applied. This means that the counter could be reset either at a point of sale or an ATM transaction. The application of SCA for a remote transaction would not reset this limit.

In addition, as clarified in paragraph 43 of the EBA Opinion on the implementation of the RTS on Strong customer authentication and secure communication, “the cumulative limit is either the limit based on the number of transactions or the monetary amount (but not both)”.
Final Q&A
Answer prepared by:
Answer prepared by the EBA.