Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Type of submitter:
Industry association
Subject Matter:
Merchant IDs and SCA

In the situation where Strong Consumer Authentication (SCA) was completed at the time of completing a hotel booking by an Online Travel Agent (OTA) or under their Merchant ID but the actual payment will take place at the time of arrival: will the SCA authentication token remain valid for the hotel (merchant) making the charges and its respective Merchant ID?

Background on the question:

In the hotel industry, there is a high degree of intermediation between the hotel (merchant) and guest (customer) through Online Travel Agents (OTAs such as, franchisor booking channels (such as, or global distribution systems (such as Sabre). At the same time, these channels may have a diversity of Merchant-IDs (MIDs) different than that of the hotel.

Date of submission:
Published as Final Q&A:
EBA Answer:

Article 97(1)(b) of Directive 2015/2366/EU (PSD2) prescribes that payment service providers (PSPs) shall apply strong customer authentication (SCA) where the payer initiates an electronic payment transaction.

Q&A 2019_4795 clarified that ‘PSD2 and the Delegated Regulation (EU) 2018/389 do not specify a timeframe for the validity of SCA applied at the time when a payer initiates an electronic payment transaction’.

Accordingly, the SCA applied at the time of the booking shall allow the future-dated payment transaction to be executed.

Article 97(2) of PSD2 states that for electronic remote payment transactions, PSPs shall apply SCA that includes elements which dynamically link the transaction to a specific amount and a specific payee.

Article 5(1)(a) and (c) of the Commission Delegated Regulation (EU) 2018/389 states that where PSPs apply SCA in accordance with Article 97(2) of PSD2, ‘the payer is made aware of the amount of the payment transaction and of the payee’ and ‘the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer’.

Accordingly, the payment information displayed to the payer during the authentication shall include the payee (the hotel in the case described by the submitter). The authentication code shall be specific to the same payee, agreed to by the payer. If the payee and the specific amount do not change, the authentication code shall remain valid.

PSD2 and the Delegated Regulation do not require the payer to be made aware of third parties that are different from the payee, including intermediaries acting on behalf of the payee.

Final Q&A
Answer prepared by:
Answer prepared by the EBA.