With the limits described in Articles 11 and 16 of the Regulatory Technical Standards on strong customer authentication and secure communication under Directive 2015/2366/EU (PSD2), could a vendor mount an unattended "contactless only" device without pinpad on a general goods vending machine?
In this case, where a vendor mounts an unattended "contactless only" device without pinpad on a general goods vending machine, the customer has no way to insert any strong customer authentication (SCA) method when he purchases.
In Europe there are many thousands of general goods vending machines that have mounted an unattended "contactless only" device without pinpad, and at the moment there are not alternatives with pinpad and with the same dimensions that can be mounted.
There are many examples of mounted unattended cashless devices:
These are mounted on many thousands of general goods vending machines throughout Europe, and applying SCA on these is impossible.
Owners can change such cashless payment devices with others with pinpad onboard with a lot of at a great cost. Moreover at the moment, there are no devices with compatible dimensions to replace those installed.
If you input your PIN in a vending machine, this is less secure than making low import payments without SCA, simply paying using contactless with exemptions on other vending machines too, such as transport fares and parking fees.
Q&A 4057 clarified that:
- strong customer authentication (SCA) applies for payment transactions at vending machines;
- the exemption under Article 12 of the Commission Delegated Regulation (EU) 2018/389 on ‘Unattended terminals for transport fares and parking fees’ does not apply to vending machines for purchasing goods;
- the exemption under Article 11 of the Delegated Regulation on ‘Contactless payments at point of sale’ may apply to those vending machines where contactless payments can be used;
- other exemptions from SCA, including the exemption under Article 16 of the Delegated Regulation on ‘Low-value transactions’, may apply for remote payment transaction at vending machines.
Accordingly, it is for each vendor to decide whether to mount a contactless only terminal without a pinpad on vending machines. However, in case the payment service user is requested to apply SCA, the PSU, depending on the SCA approach provided by the PSP, may not be able to initiate the payment transaction.