2020_5288 Mount unattended contactless device on general goods vending machines

Question ID: 2020_5288
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 11, 12 and 16
Type of submitter: Other
Subject matter: Mount unattended contactless device on general goods vending machines
Question: With the limits described in Articles 11 and 16 of the Regulatory Technical Standards on strong customer authentication and secure communication under Directive 2015/2366/EU (PSD2), could a vendor mount an unattended "contactless only" device without pinpad on a general goods vending machine?
Background on the question: In this case, where a vendor mounts an unattended "contactless only" device without pinpad on a general goods vending machine, the customer has no way to insert any strong customer authentication (SCA) method when he purchases.

In Europe there are many thousands of general goods vending machines that have mounted an unattended "contactless only" device without pinpad, and at the moment there are not alternatives with pinpad and with the same dimensions that can be mounted.

There are many examples of mounted unattended cashless devices:

These are mounted on many thousands of general goods vending machines throughout Europe, and applying SCA on these is impossible.

Owners can change such cashless payment devices with others with pinpad onboard with a lot of at a great cost. Moreover at the moment, there are no devices with compatible dimensions to replace those installed.

If you input your PIN in a vending machine, this is less secure than making low import payments without SCA, simply paying using contactless with exemptions on other vending machines too, such as transport fares and parking fees.
Submission date: 03/06/2020
Final publishing date: 11/03/2022
Final answer: Q&A 4057 clarified that:

- strong customer authentication (SCA) applies for payment transactions at vending machines;

- the exemption under Article 12 of the Commission Delegated Regulation (EU) 2018/389 on ‘Unattended terminals for transport fares and parking fees’ does not apply to vending machines for purchasing goods;

- the exemption under Article 11 of the Delegated Regulation on ‘Contactless payments at point of sale’ may apply to those vending machines where contactless payments can be used;

- other exemptions from SCA, including the exemption under Article 16 of the Delegated Regulation on ‘Low-value transactions’, may apply for remote payment transaction at vending machines.

Accordingly, it is for each vendor to decide whether to mount a contactless only terminal without a pinpad on vending machines. However, in case the payment service user is requested to apply SCA, the PSU, depending on the SCA approach provided by the PSP, may not be able to initiate the payment transaction.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer