2025_7482 SCA exception for Contactless only terminals (SoftPOS) in case of emergency

Question ID: 2025_7482
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: Article 0 - (15)
Type of submitter: Other
Subject matter: SCA exception for Contactless only terminals (SoftPOS) in case of emergency
Question: We are in the process of developing a backup solution for our SoftPOS terminal application, intended for use during exceptional circumstances such as cyber-attacks or other disruptions to internet connectivity and acquirer systems.

As SoftPOS terminals operate exclusively with contactless transactions, and contactless transactions does not support Offline PIN, it is technically not possible to perform Strong Customer Authentication (SCA) in offline mode.

We would like to confirm whether, under these conditions, it is acceptable to process offline contactless transactions without applying SCA and follow Directive (EU) 2015/2366 article 0 (15)
Background on the question: In Denmark, as well as in several other countries, legislative efforts are underway that will require all payment solutions—including SoftPOS terminals—to support offline processing.

To comply with the upcoming regulations, we must ensure that offline processing is supported, regardless of the authentication methods available.
Submission date: 13/06/2025
Final publishing date: 03/10/2025
Final answer: Article 97(1)(b) of Directive 2015/2366/EU (PSD2) prescribes that the payment service provider (PSP) shall apply ‘strong customer authentication (SCA) where the payer initiates an electronic payment transaction’.
Therefore, in the case where the payer initiates an electronic card-based payment transaction at a Software Point of Sale (POS), the issuer shall apply Strong Customer Authentication (SCA) to that transaction, unless an exemption from SCA applies in accordance with Articles 11– 18 of the Delegated Regulation (EU) 2018/389. Other exemptions from SCA, including for emergency situations, than those specified within the Delegated Regulation are not available.
In the specific case described by the submitter where a payment transaction is initiated at a software POS during a cyber attack or disruption to internet connectivity or acquirer's system, SCA should be applied, unless the payment transaction can be subject to an SCA exemption.
It should also be noted that, as clarified in Q&A 2018_4055, the PIN can be transmitted and verified offline, provided that it meets the requirements of Articles 6(1), 22(1) and 22(4) of the Delegated Regulation.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting

Data

Publications

Media centre

Disclaimer