Question ID:
2019_4795
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
1
Disclose name of institution / entity:
No
Type of submitter:
Industry association
Subject Matter:
Validity of SCA
Question:

If  Strong customer suthentication (SCA) is required at the time of booking which is more than 90 days before the guest’s arrival, will hotels be able to process the payment at location with an expired authentication token? If not, can an SCA be renewed and who would be responsible for doing so?

Background on the question:

It appears from Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication, that SCA will only be valid for 90 days. In the hotel industry, it is not uncommon for a reservation to take place more than 90 days in advance of the guest’s arrival at the hotel, with reservations regularly being made more than a year in advance. With this type of payment, there is a specific time-frame foreseen in between booking a room and when the actual reservation takes place, to which the customer agrees in advance.

Date of submission:
19/06/2019
Published as Final Q&A:
24/09/2021
EBA Answer:

Article 97(1)(b) of Directive 2015/2366/EU (PSD2) prescribes that payment service providers (PSPs) shall apply strong customer authentication (SCA) where the payer initiates an electronic payment transaction.

PSD2 and the Commission Delegated Regulation (EU) 2018/389 do not specify a timeframe for the validity of an SCA applied at the time when a payer initiates an electronic payment transaction. Accordingly, PSD2 and the Delegated Regulation do not restrict the possibility for SCA to be applied more than 90 days in advance of a future-dated payment transaction.

Status:
Final Q&A
Answer prepared by:
Answer prepared by the EBA.
Image CAPTCHA