Search for Q&As Submit a question

List of Q&As

Chip and Signature cards and their inclusion in the remit of RTS Article 11

Is cardholder signature a strong method of authentication when transacting with card present?If so, is there a requirement to ensure that on Chip and Signature cards we step up to signature from contactless after 5 contactless /cumulative value of 150 euros?If a signature is not considered to be strong customer authentication (SCA), are chip and signature cards exempt from SCA requirements under Article 11 of the RTS on strong customer authentication and secure communication?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4342 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 24/10/2018 | Date of publication: 09/04/2021

Trusted Beneficiaries

Article 13 of the RTS on strong customer authentication (SCA) and secure communication does not seem to restrict the use of trusted beneficiaries beside the fact that the payee must be in the list of trusted beneficiaries when initiating the payment transaction. Is it correct to conclude from this that the usage of trusted beneficiaries is not further restricted and can, therefore, also be implemented as a generic beneficiary approval step prior to every initiation of a payment transaction?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4338 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 24/10/2018 | Date of publication: 09/04/2021

TPP access only with PSU involvement

Can a Payment Service User (PSU) allow a Third party provider (TPP) the access to his account only if he is involved?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4631 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 27/03/2019 | Date of publication: 05/03/2021

Transport and parking exemption for parking and electric vehicle charging

Does the transport and parking exemption under Article 12 of Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication apply to transactions at unattended terminals for the payment of a parking fee that includes electric charging?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2020_5224 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 29/04/2020 | Date of publication: 15/01/2021

Ability of static card data to be considered a possession factor?

Can static card data (Card number PAN + cardholder name +Exp. Date + static CVV2/CVC2) be considered a as a possession factor, and if so: is it strong enough to be a valid factor in a 2-factor Strong customer authentication (SCA)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4235 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 06/09/2018 | Date of publication: 15/01/2021

Transaction risk analysis (TRA) exemption – Calculation of fraud rate – Impact of unauthorized transactions on issuers and acquirers

In the case of card-based transactions, shall issuers include in their fraud rate calculation only the unauthorized transactions for which they apply strong customer authentication (SCA) or an exemption?  Or, shall issuers also include unauthorised transactions for which the acquirer applies an exemption?Shall acquirers include in their fraud rate calculation only the unauthorised transactions for which they apply an exemption?  Or shall acquirers also include unauthorised transactions for which the issuer applies an exemption?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4702 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 09/05/2019 | Date of publication: 24/07/2020

Strong Customer Authentication (SCA) possession element requirement for cryptographic validation

For a device to be considered possession:-a) should the device perform "cryptographically underpinned validity assertions using keys or cryptographic material stored in" the device?b) should the device be in the physical possession of the  Payment Service User (PSU)? I.e. it cannot be held and operated remotely.

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4532 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 11/02/2019 | Date of publication: 24/07/2020

Define what is “given period of time”

What constitutes a “given period of time” as expressed in Article 4.3 (b) of the RTS on strong customer authentication and secure communication?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4662 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 09/04/2019 | Date of publication: 19/06/2020

Scope of the corporate SCA exemption.

Does the corporate SCA exemption apply only if the payer initiates (and transmits) payments directly to their ASPSP and not for payments transmitted via a 3rd party service provider (i.e. a PISP)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4693 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 02/05/2019 | Date of publication: 14/06/2019

Testing eIDAS certificates before 14 September 2019

How can Third Party Providers (TPPs) and Account servicing payment service providers (ASPSPs) test their interfaces using PSD2 eIDAS-certificates during the testing period prior to September 2019 as it is only mandatory to use PSD2 eIDAS certificates from September 2019 onwards?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4138 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 18/07/2018 | Date of publication: 07/06/2019

Application of Transaction Risk Analysis (TRA) exemption – Real time risk analysis / monitoring

Is it acceptable if a payment service provider (PSP) looking to apply the TRA exemption makes a best effort using the information available to them to identify that none of the six individual factors mentioned in Article 18(2)(c) of the Commission Delegated Regulation 2018/389 are applicable, but does not have to actually identify non-applicability of all of these factors to be able to use the TRA exemption? 

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4127 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 17/07/2018 | Date of publication: 07/06/2019

Transaction Risk Analysis (TRA) exemption – Frequency of recalculation of fraud rate

Should the fraud rate, in accordance with Article 19 of the RTS, be recalculated every day using the trailing 90 days of data, or should it be recalculated once every 90 days (using the trailing 90 days of data)? If the fraud rate should be recalculated once every 90 days (using the trailing 90 days of data), can the calculation periods be aligned with calendar quarters? (e.g. the fraud rate for use during Q1 2020 (01-Jan-20 to 31-Mar-20) would be based on fraud data for Q4 2019 (01-Oct-19 to 31-Dec-19).

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4045 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 28/06/2018 | Date of publication: 07/06/2019

Certfication in relation to a Technical Service Provider (TSP)

When performing the role of a Technical Service Provider (TSP) is the TSP required to update the certificate received from the Third Party Payment Service Providers (TPP) (to demonstrate our involvement) to enable the Account Servicing Payment Service Provider (ASPSP) to authorise the certificate and provide the appropriate requested data back through to the TPP and establish the session? Is this same certificate required for every type of transaction request and must it be real time checked by the ASPSP and how does this impact our role as a TSP?Also, by introducing a TSP between a TPP and an ASPSP is the concept of private keys and the transport layer broken, due to the introduction of a TSP between the TPP and the ASPSP? Finally, are there limits to the number of roles involved in the chain in terms of the certification or do we just need to be able to demonstrate the link back to the point of origin for the certificate (the TPP)?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4375 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 19/11/2018 | Date of publication: 24/05/2019

Wide usage portability between Member States

Could three months’ data, showing wide usage of the dedicated interface, produced in one Member State by a regulated entity (ASPSP) belonging to an ASPSP Group, be used as evidence to support the ‘widely used’ condition in a further Member State for a separate regulated entity (ASPSP) belonging to the same ASPSP Group, on the condition that both entities employ the same dedicated interface?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: EBA/GL/2018/07 - Guidelines on the exemption from the contingency mechanism under Regulation (EU) 2018/389

ID: 2019_4638 | Topic: Other topics | Date of submission: 28/03/2019 | Date of publication: 26/04/2019

Applicability of Article 34 (eIDAS certificates) prior to application date of Regulation (EU) 2018/389

Is the use of eIDAS certificates mandatory for accessing payment accounts via dedicated interfaces (APIs) already prior to the application date of the Commission Delegated Regulation (EU) 2018/389, i.e. 14 September 2019?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4630 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 27/03/2019 | Date of publication: 26/04/2019

Content of eIDAS certificates if agents or outsource providers are involved

Who shall be the Subject Distinguished Name (DN) in the situation described in EBA Opinion on eIDAS (EBA-Op-2018-7) item 21? Does information on agents or outsource providers has to show up in the certificates? 

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Not applicable

ID: 2019_4507 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 01/02/2019 | Date of publication: 26/04/2019

Fraud rate calculation for TRA exemption – country dimension

Could – or should – the fraud rate for the TRA exemption be calculated per member state where a PSP provides payment services (one legal entity with branches in different countries), or should the fraud rate be aggregated as one for the whole legal entity?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4439 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 27/12/2018 | Date of publication: 12/04/2019

Fall back exemption

Article 33, § 6 of the RTS for strong customer authentication and common and secure open standards of communication (the “RTS”) provides that “Competent authorities, after consulting EBA to ensure a consistent application of the following conditions, shall exempt the account servicing payment service providers that have opted for a dedicated interface from the obligation to set up the contingency mechanism […]” (the “fall back exemption”). a) Which authority - the home authority or the host authority ?- is the compentent authority under article 33, § 6 of the RTS, when the “fall back exemption request” concerns the dedicated interface used in a Member state where a branch of the ASPSP is located? b) Does the answer differ if the same dedicated interface is used in the home member state and in the host member state where a branch is located?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4163 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 25/07/2018 | Date of publication: 12/04/2019

Identification and access for testing purposes of entities that are not authorised third party providers (TPPs)

How would account servicing payment service providers (ASPSPs) identify entities that have applied for authorisation as a TPP?Should ASPSPs offer access to their testing facility to entities that are not (i) authorised payment service providers or (ii) entities that have applied for authorisation as a TPP (e.g. technical service providers)? If the answer is ‘yes’, should ASPSPs offer the same level of service to the referred entities?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2019_4609 | Topic: Other topics | Date of submission: 12/03/2019 | Date of publication: 29/03/2019

ASPSP is denied the waiver to the fall-back by an NCA

If an Account Servicing Payment Service Provider (ASPSP) is denied the waiver to the fall-back by a National Competent Authority (NCA) (i.e. at 13 September 2019), will the ASPSP still have 2 months to build the fall-back?

Legal act: Directive 2015/2366/EU (PSD2)

COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

ID: 2018_4140 | Topic: Strong customer authentication and common and secure communication (incl. access) | Date of submission: 18/07/2018 | Date of publication: 22/03/2019