Some ASPSPs, following the initial authentication of the PSU, issue tokens that are persistently linked to a specific PSU rather than being tied to a specific payment order. This operational approach raises significant security risks and introduces unnecessary operational complexity for PISPs, as it requires them to store and manage such tokens for reuse in subsequent stages of the payment initiation process and to transmit them in successive interactions with the ASPSP.

From the perspective of Commission Delegated Regulation (EU) 2018/389, this practice is particularly problematic, as authentication mechanisms and personalised security credentials are required to be strictly linked to a specific payment transaction, including its amount and payee, in accordance with the dynamic linking principle set out in Article 5. In this respect, the issuance of long-lived tokens linked to the PSU, rather than to a specific payment order, may undermine the requirements for Strong Customer Authentication (SCA), as it enables the initiation of new payment orders on behalf of the PSU, during the validity period of the token, without the PSU being required to undergo a new strong authentication process.

Furthermore, the use of tokens that, in practice, replicate the functionality of the PSU’s online banking credentials may conflict with Articles 30 and 36 of the Delegated Regulation, insofar as it facilitates ongoing access or the initiation of payment transactions without transaction-specific authentication and without the explicit involvement of the PSU. This increases the risk of misuse, weakens the PSU’s control over payment transactions, and may be considered incompatible with the security and consumer protection objectives underpinning the PSD2 regulatory framework.