Level 1 text of the PSD2 in Article 2(4) which expands (as compared with PSD1) the scope of PSD to one-leg transactions where “only one of the payment service providers is located within the Union [EEA], in respect to those parts of the payments transaction which are carried out in the Union [EEA].”, except for a specified list of articles. As articles 97-98 are not listed among those exempted from the one-leg scope, the one-leg scope applies to articles 97-98 on SCA and the RTS.

As SCA is always performed by the PSP of the payer, for card-based payments as well as for credit transfers, the articles 97-98 cannot apply to transactions with a non-EEA PSP of the payer. It is worth noting that even if e.g. the card chip is read by and the PIN is entered into a terminal at a merchant acquired by an EEA PSP, this is only data collection on behalf of the non-EEA issuer, and the authentication is therefore always performed by the non-EEA issuer; the EEA acquirer is not in any way involved in determining the validity of the credentials being used for authentication. So, the one-leg scope extension does not cover non-EEA issued cards used at merchants acquired by EEA acquirers, and these can continue to accept e.g. magstripe and non-3D Secure transactions on non-EEA-issued cards without any interference by the law transposing PSD2.

Vice versa, the articles 97-98 and the RTS on SCA should therefore apply to EEA PSPs of the payer for credit transfers and for card-based payments, regardless of whether the PSP of the payee is inside or outside the EEA. The physical whereabouts of the payer, the card or the terminal reading the card is of no consequence to this; the actual customer authentication, the validation of the data collected, is always performed by the EEA issuer and is therefore included in “those parts of the payments transaction which are carried out in the Union [EEA].”.

For a card-based payment with a card issuer in the EEA, we then have a problem if the SCA is not supported by the non-EEA acquirer: should the EEA issuer have to decline all card transactions made in non-EEA magstripe-only terminal and all non-3DSecure remote card transactions from a non-EEA acquirer? EBA responded to this issue in connection to its “Final Report Draft RTS” of 23rd February 2017 stating that “In the case of cross-border transactions where payment instruments issued under a national legal framework that does not require the use of SCA (such as magnetic stripe cards) are used within the EU or when the PSP of the acquirer is established in a jurisdiction where it is not legally required to support the strong customer authentication procedure designed by the European issuing PSP, the European PSPs shall make every reasonable effort to determine the legitimate use of the payment instrument.“. With this interpretation EEA issuers can still accept non-SCA-supported non-EEA transactions based on a best efforts principle, wherefore it is welcome.

However, this EBA statement gives rise to new interpretation issues regarding at least the following dimensions:

1. What is the definition of “a jurisdiction where it [the acquirer] is not legally required to support … [SCA]”? Is this to be read as every non-EEA country, or could other countries with the same or similar requirements on SCA in the national law, although without any direct or formal connection to the EU legislation. E.g. what about UK (having adopted the PSD2 already) after Brexit?

2. To what extent the SCA and RTS requirements still applies to those transactions for which non-EEA acquirers do support SCA, even if not legally obliged to do so?

3. How should “every reasonable effort to determine the legitimate use of the payment instrument” be interpreted? E.g. is it to always use SCA when possible?

Different interpretations of these dimensions result in a variety of practical interpretations for card-based payments, inter alia:

A. The RTS and the SCA requirements in PSD2 only apply to two-leg transactions where both the issuer and the acquirer are based in the EEA, leaving non-EEA transactions out of scope of the RTS, even in those cases where the non-EEA acquirer do support the issuer procedure for SCA.

B. For transactions from non-EEA acquirers that do support SCA, the EEA issuer must always apply SCA without the use of any of the exemptions allowed in the RTS for two-leg transactions, in order to fulfil the principle of “every reasonable effort”.

C. The EBA cannot change the level text completely; therefore the “two-leg relief” from the RTS requirements for EEA issuers only applies when both

• The acquirer is based in a jurisdiction where it is not legally required to support SCA

AND

• The acquirer does not support SCA

Meaning that for transactions where SCA is supported (EMV terminal, 3D Secure) by the acquirer, the issuer is always obliged to follow the SCA requirements of the RTS (including the use of exemptions allowed under the RTS) – for two-leg and one-leg alike.

If this is not explicitly evident from the EBA text, it should at least be implicitly given that “any reasonable effort” must mean – at a minimum – to apply the SCA requirements (including possible exemptions) in accordance with the RTS.

To illustrate the practical consequences for one-leg transactions with EEA-issued cards where SCA is supported by the non-EEA-acquirer:

•           For e-commerce transactions, where the non-EEA acquirer applies 3D-Secure:

-           Interpretation A: The RTS does not apply. The issuer can do a risk-based decision and chose not to apply SCA even on transaction amounts higher than 500 EUR.

-           Interpretation B: The issuer must apply SCA on all 3D-secure transactions from a non-EEA acquirer, without possibility to apply exemptions

-           Interpretation C: The RTS applies. The issuer can choose to apply SCA or use an exemption in accordance with the RTS. If the low value exemption for remote transactions under 30 EUR (article 16) is used, the non-EEA transaction would be added to the counter for the cumulative limit of the issuer’s choice (100 EUR or 5 transactions).

•           For contactless transactions, supported by an EMV contactless-enabled terminal with PIN-pad:

-           Interpretation A: The RTS does not apply. If allowed by scheme rules the issuer can allow contactless transactions on higher amounts than 50 EUR. Contactless transactions without SCA from a non-EEA acquirer would not add to the contactless counter for the cumulative limit of the issuer’s choice (150 EUR or 5 transactions).

-           Interpretation B: The issuer must apply SCA (PIN, biometrics) on all contactless transactions from a non-EEA acquirer.

-           Interpretation C: The RTS applies.  For contactless transactions under 50 EUR, the issuer can apply the exemption from SCA, and the non-EEA transaction would then be added to the cumulative counter of the issuer’s choice.

In its later opinion EBA-Op-2018-04, the EBA reiterated its position with a slightly different formulation:

“32. As explained in the final report on the draft RTS published in February 2017, the EBA’s view, after discussing it with the European Commission, is that SCA applies to all payment transactions initiated by a payer, including to card payment transactions that are initiated through the payee, within the EEA and apply only on a best-effort basis for cross-border transactions with one leg out of the EEA.”

When comparing this with the earlier EBA statement of February 2017, three things should be noted:

1.             In this statement EBA refers to “a payer” and not to the payer’s PSP, which could inspire additional interpretation issues. As stated above, we think the physical whereabouts of the payer should be of no consequence to the interpretation, the authentication of a card-based transaction on a card issued in the EEA is always performed in the EEA. Article 2.4 of PSD2 is clearly addressing payment service providers only, not payment service users. We therefore think this is a simple mistake, and it should read “initiated with a payer’s PSP within the EEA”.

2.             Direct reference to legal requirements under non-EEA jurisdictions is avoided, and so could then the interpretation issues that follow from that wording be.

3.             We think that the formulation that for one-leg transactions, SCA “applies only on a best-effort” makes it clear that: yes, SCA do apply also for one-leg, when it is possible for the EEA issuer to perform SCA, i.e. when the non-EEA acquirer do support SCA.