- Question ID
- Legal act
- Directive 2015/2366/EU (PSD2)
- Other topics
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Name of institution / submitter
Multi-Stakeholder Group Mobile initiated SEPA (instant) credit transfers
- Country of incorporation / residence
- Type of submitter
- Subject matter
SCA requirements with dynamic linking for mobile initiated credit transfers (MSCTs)
Can mobile initiated credit transfers (MSCT) solutions whereby a proximity technology (e.g. NFC, QR-code, BLE, etc.) is used for the exchange of payer identification data between the payer’s mobile device and the payee’s payment terminal but a mobile network is used (e.g. by a dedicated app) on the payer’s mobile device for the payer authentication, be considered as a proximity payment whereby strong customer authentication (SCA) may apply without requiring dynamic linking?
- Background on the question
Article 4 in PSD2, definition 6 on remote payment transaction and Article 5 of the RTS on strong customer authentication and secure communication states that the provisions for SCA with dynamic linking apply, in accordance with Article 97(2) of Directive (EU) 2015/2366, for electronic remote payment transactions.
For mobile initiated credit transfers (MSCTs), solutions may be used for retail proximity payments whereby the mobile network connection is only used by the payer’s mobile device (e.g. by a dedicated app) for authentication purposes. This means that a proximity technology (such as QR-code, NFC or BLE) is used in the initial step from the payer’s mobile device to the payee’s terminal to exchange the payer identification (e.g. a token through a QR-code).
This payer identification is forwarded with the transaction details (including the payee and transaction amount) in a payment request from the merchant to the payee’s MSCT service provider. Next, the payment request is further forwarded by the payee’s MSCT service provider to the payer’s MSCT service provider (the payer’s MSCT service provider is identified based on the payer identification).
The payer’s MSCT service provider identifies the payer and retrieves the transaction details from the payment request and requests the payer an authentication for this transaction (SCA) via the payer’s mobile device (e.g., by presenting biometrics or a mobile code on the mobile device and the subsequent generation of a cryptogram/authentication code by the app on the mobile device) to confirm the transaction.
The cryptogram/authentication code is sent from the payer’s mobile device to the payer’s MSCT service provider for verification. In case this SCA is successful, the payer’s MSCT service provider initiates the credit transfer with the payer’s ASPSP.
Can this MSCT be considered as a proximity payment not requiring SCA with dynamic linking or is this type of MSCT always to be considered as an electronic remote payment requiring SCA with dynamic linking?
- Submission date
- Final publishing date
- Final answer
Article 97(1)(b) of Directive 2015/2366/EU (PSD2) requires payment service providers (PSPs) to apply strong customer authentication (SCA) when the payer initiates an electronic payment transaction, including credit transfers. In the case of electronic remote payment transactions, Article 97(2) of PSD2 requires PSPs to apply SCA that includes elements, which dynamically link the transaction to a specific amount and a specific payee.
Article 4(6) of PSD2 defines remote payment transaction as ‘a payment transaction initiated via internet or through a device that can be used for distance communication’.
Article 4(13) of PSD2 defines payment order as ‘an instruction by a payer or payee to its payment service provider requesting the execution of a payment transaction’.
Article 4(15) of PSD2 defines payment initiation service as ‘a service to initiate a payment order at the request of the payment service user with respect to a payment account held at another payment service provider’.
In the case described by the submitter, the EBA understands that the payer would initiate a credit transfer at a point of sale (PoS) with contactless functionality with the authentication of the payer taking place on a mobile application and requiring a mobile network. In this case, the initiation of the payment transaction, including the authentication of the payment service user (PSU), is dependent on the use of internet, and carries out additional risk of fraud, such as a fraudster intercepting the communication between the PSU and the PSP. Therefore, such a transaction should be considered as a remote payment transaction and would require the application of the dynamic linking requirements under Article 97(2) PSD2.
This is also in line with Q&A 4594 since the transaction is initiated via the internet.
Finally, Q&A 5247 provides further details on the application of the dynamic linking requirements to mobile initiated credit transfers initiated at a PoS with the authentication of the payer taking place offline and not being carried out via the internet.
- Answer prepared by
Answer prepared by the EBA.