For remote card transactions, may the user be informed of the incorrect authentication factor in case of a failed authentication attempt provided this does not increase the risk of fraud (e.g. for in-app transactions)?
Article 4(3)(a) RTS requires that, if the authentication has failed to generate an authentication code, the identification of the incorrect authenticating factor must be impossible. This requirement can result in a poor user experience, as it was outlined in relation to Face-to-Face (F2F) payments during the EBA consultation on the draft RTS of August 2016. Some participants requested the EBA that "the current model of transaction failure feedback for card transactions, i.e. “wrong PIN message” should be kept to avoid confusion for the payer and payee” (Question 5, page 49 of the Feedback Table annexed to the final draft RTS of February 2017). As a result of the consultation, F2F transactions have been excluded from the scope of this requirement. In our view, a pragmatic interpretation would be that not only F2F but also remote card transactions should be excluded from the scope of this requirement if this does not increase the risk of fraud. For example, with in-app transactions, the card is tokenized. The token is an ownership factor that is embedded in the device (or stored in the cloud). Thus, the token can never be an ‘incorrect’ authenticating factor (unless a technical error occurs). The incorrect factor is necessarily the other one (i.e., the fingerprint or the OTP). Informing the user of this does not increase the risk of fraud and would result in an improved customer experience.
In accordance with Article 4(3)(a) of the Commission Delegated Regulation (EU) 2018/389 “Payment service providers shall ensure that the authentication by means of generating an authentication code includes each of the following measures: (a) where the authentication for remote access, remote electronic payments and any other actions through a remote channel which may imply a risk of payment fraud or other abuses has failed to generate an authentication code for the purposes of paragraph 1, it shall not be possible to identify which of the elements referred to in that paragraph was incorrect”.
Accordingly, payment service providers should not provide any indication on which element was incorrect.