Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Type of submitter:
Industry association
Subject Matter:
Treatment of electronic bookings similar to Mail Order and Telephone Orders (MO-TO) transactions

Would hotel use-cases, which include reservations taken by third parties (such as online travel agents or brand/hotel group) for the merchant and subsequent transactions (such as post-booking processing of prepaid rates or deposits, processing of cancellation/no-show fees, processing of post-checkout charges) fall under the scope of Mail Order and Telephone Orders (MO-TO) transactions and are they therefore excluded from the strong customer authentication (SCA) requirements?

Background on the question:

In the hotel sector, payment information collected during the process of reserving accommodation does not result in a transaction at the time of the reservation, with credit card details utilised only as a guarantee for future payment. If payment details are collected at time of booking, but no payment is processed at that time or by that booking entity, no e-commerce has occurred.

Date of submission:
Published as Final Q&A:
EBA Answer:

Pursuant to Article 97 (1)(b) Directive 2015/2366/EU (PSD2), Member States shall ensure that a payment service provider applies strong customer authentication (SCA) when the payer initiates an electronic payment transaction. As stated in Q&A 2018_4031, card-based payment transactions are considered as payment transactions initiated by the payer through the payee and thus fall under Article 97(1)(b) PSD2.

Recital 95 of PSD2 clarifies that “There does not seem to be a need to guarantee the same level of protection to payment transactions initiated and executed with modalities other than the use of electronic platforms or devices, such as paper-based payment transactions, mail orders or telephone orders.” 

Accordingly, remote non-electronic payment transactions that are initiated and executed via a mail order or telephone order can be considered out of scope of the SCA requirement. Therefore, as card-based payment transactions qualify as electronic payment transactions, card-based transactions initiated by the payer through the payee cannot be considered out of scope of the SCA requirement.



The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.

Final Q&A