2020_5247 Clarification of remote payment for dynamic linking

Question ID: 2020_5247
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 97
Paragraph: 2
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 5
Name of institution / submitter: Smart Payment Association
Country of incorporation / residence: Germany
Type of submitter: Industry association
Subject matter: Clarification of remote payment for dynamic linking
Question: Is a SEPA Credit Transfer (SCT) transaction, whereby a user mobile phone interacts locally via Near Field Communication (NFC) with a merchant payment terminal to initiate the SCT transaction, whereby the user mobile phone does not communicate remotely over a mobile network for this purpose but whereby the payment terminal connects on-line to a payment system and handles the required strong customer authentication (SCA) through this on-line channel, considered an electronic remote payment transaction?
Background on the question: Article 5 of the RTS on strong customer authentication and secure communication states that the provisions for dynamic linking apply, in accordance with Article 97(2) of Directive (EU) 2015/2366, for electronic remote payment transactions.

Mobile wallets or smart cards could be used in store, at a point of sale terminal, to initiate instant payments without, similarly to today’s card based payments, requiring a redirection for SCA: The mobile wallet or payment card would be provisioned with Account Servicing Payment Service Provider (ASPSP) keys for the purpose of cryptogram calculation and be capable of verifying the Payment Service User (PSU) by means of a PIN or biometric modality. The cryptogram would be passed to the terminal locally via NFC and sent by the terminal to the ASPSP via a Payment Initiation Service Provider (PISP). It is interesting to understand if the cryptogram calculated by the device should be dynamically linked to transaction amount and payee identifier. The EMV standard that could be used for this purpose currently only provides for the signing of the transaction amount.
Submission date: 12/05/2020
Final publishing date: 13/04/2022
Final answer: Article 4(24) of Directive 2015/2366/EU (PSD2) defines ‘credit transfer’ as ‘a payment service for crediting a payee’s payment account with a payment transaction or a series of payment transactions from a payer’s payment account by the payment service provider which holds the payer’s payment account, based on an instruction given by the payer’.
Given that the credit transfers are by definition payer-initiated electronic payments, strong customer authentication (SCA) applies, in accordance with Article 97(1), point (b), PSD2.
Article 97(2) PSD2 states that dynamic linking - in accordance with Article 5 of Commission Delegated Regulation (EU) 2018/389 (RTS on SCA and CSC) - applies to electronic remote payment transactions.

Article 4(6) PSD2 defines remote payment transactions as “a payment transaction initiated via internet or through a device that can be used for distance communication”.
In the case described by the submitter, it seems that the payer would initiate a credit transfer at a point of sale terminal (POS terminal) with contactless functionality (e.g. near field communication technology) within the premises of the merchant. Such a transaction should therefore be considered 50 as a proximity payment which would not require the application of the dynamic linking requirements under Article 97(2) PSD2.

By contrast, Q&A 5367 provides further details on the application of the dynamic linking requirements to mobile initiated credit transfers initiated at a PoS with the authentication of the payer being carried out via the internet.
Disclaimer:

The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.
Status: Final Q&A
Answer prepared by: Answer prepared by the European Commission because it is a matter of interpretation of Union law.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer