List of Q&As

Exemption of secure corporate payment processes and protocols

Is the exemption of applying strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers applicable to both payment initiation and account information services? Or, is it solely applicable to payment initiation service?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4383 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 21/11/2018 | Date of publication: 26/02/2021

Delayed or deferred PIN for wearable devices

Is the PIN entered when the cardholder takes on wearable device on, still valid as a knowledge element for one or several transactions later the same day, if it can be ensured that the device has not been taken off?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4783 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 17/06/2019 | Date of publication: 25/09/2020

Compliance with SCA in offline mode on an aircraft without internet connection

How can Strong Customer Authentication (SCA) be applied in an offline environment onboard an airplane when chip and pin cannot be verified with a Point of Sale (POS) device? Specifically, how is dynamic linking achieved in an offline mode for airlines who don't have internet connectivity but instead have a closed wireless network to be able to make purchases onboard an aircraft?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4740 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 24/05/2019 | Date of publication: 06/12/2019

Unsuccessful authentications and declined transactions effect on the counters of cumulative amount and number of consecutive transactions

Do failed authentications or declined transactions increase the counters of cumulative amount or number of hits?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4785 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 18/06/2019 | Date of publication: 06/12/2019

Fraud rate calculation for TRA exemption – country dimension

Could – or should – the fraud rate for the TRA exemption be calculated per member state where a PSP provides payment services (one legal entity with branches in different countries), or should the fraud rate be aggregated as one for the whole legal entity?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4439 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 27/12/2018 | Date of publication: 12/04/2019

Showing a password after it has been masked

Article 22, 2(a) states that "personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication". Is it ok to offer the user a "show password"-button, so the user can verify that correct password has been entered, before fulfilling an authentication?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4366 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 09/11/2018 | Date of publication: 08/02/2019

Exemptions from Strong Customer Authentication (SCA): trusted beneficiaries

Should a Payment Service User (PSU) recreate a list of trusted beneficiaries that was already approved in accordance with the EBA Guidelines on the security of internet payments?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4120 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 16/07/2018 | Date of publication: 21/12/2018

Access by AISPs when customer not present up to 4 times in a 24 hour period

Is the intention that the '4 times in 24 hour period' is implemented based on 4 sessions for access for account information per consented customer account, or 4 Application Programming Interface (API) calls (where APIs are used for the decicated interface) for account information, or another basis?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4210 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 21/08/2018 | Date of publication: 21/12/2018

Signature performed on the screen of a digital device as a factor in a two-factor SCA

Could a signature performed on the screen of a digital device be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4238 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 06/09/2018 | Date of publication: 21/12/2018

Applicability of exemption from strong customer authentication (SCA) under Article 17 for card payments

Is Article 17 of Regulation (EU) 2018/389 applicable for the payer’s Payment service provider (PSP) for card-based payments?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4239 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 06/09/2018 | Date of publication: 14/12/2018

Obligatory nature of the SCA and exemption based on transaction risk analysis

Does the exemption to the strong customer authentication (SCA) apply to any connection the payment service user (PSU) makes to his/her payment account(s), or only to the connections made through the use of third party processors (TPPs, such as AISPs or PISPs) via the interfaces (dedicated or not) set up by the bank with the TPPs, when a transaction risk analysis is performed and results on a low level of risk? That is, the connections made via the traditional online banking or the mobile application that the financial institution (the bank) provides to the final user are also eligible to a transaction risk analysis and, if a low level or risk is identified, apply exemption to the SCA? Or do the PSD2, and specifically the RTS on SCA and secure communication not apply to the traditional connections performed by the PSUs to their payment accounts via online banking or mobile application provided by the bank (ASPSP), and do they not mandate to apply transaction monitoring in such cases?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4089 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 10/07/2018 | Date of publication: 19/10/2018