Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Type of submitter:
Industry association
Subject Matter:
Intermediaries and Merchant-ID

In the hotel industry, given that when a customer reserves a room, a payment is often not taken at this time, should an entity (intermediary, online travel agent or brand/hotel group) that collects payment details from a customer also facilitate strong customer authentication (SCA), regardless of when or by whom the actual payment transaction may be processed? If yes, should the customer be explicitly informed of the entities involved in order for their consent to be valid?

Background on the question:

In the hotel industry, there is a high degree of intermediation between the hotel (merchant) and guest (customer) through Online Travel Agents (OTAs such as, franchisor booking channels (such as, or global distribution systems (such as Sabre). These intermediaries play a key role in our booking infrastructure. In some cases, intermediaries will take credit card details on the hotel's behalf, but they do not have the facilities, nor do they bear the risk for concluding payments – this instead remains in the hands of the individual hotels.

Date of submission:
Published as Final Q&A:
EBA Answer:

Article 97(1)(b) of Directive 2015/2366/EU (PSD2) prescribes that payment service providers (PSPs) shall apply strong customer authentication (SCA) where the payer initiates an electronic payment transaction. Article 97(2) of PSD2 provides that for electronic remote payment transactions, PSPs shall apply SCA that includes elements which dynamically link the transaction to a specific amount and a specific payee.

Article 5(1)(a) of the Commission Delegated Regulation (EU) 2018/389 states that where PSPs apply SCA in accordance with Article 97(2) of PSD2, ‘the payer is made aware of the amount of the payment transaction and of the payee’.

Accordingly, the payment service user should be aware of the payee (the hotel in the case described by the submitter). PSD2 and the Delegated Regulation do not specify how the interaction between the payee and parties (the intermediaries in the case described by the submitter) acting on its behalf should take place.

Finally, the payer’s consent to execute a payment transaction shall be given in accordance with the requirements of PSD2, including Article 64(2) which specifies that the payer's consent to execute a payment transaction shall be given to the PSP, or via the payee or a payment initiation service provider.

Final Q&A
Answer prepared by:
Answer prepared by the EBA.