.svg)
The European Banking Authority (EBA) has answered further questions from the financial sector about the EU’s revised Payment Services Directive (PSD2).
In its latest batch of clarifying notes on strong customer authentication (SCA), the EBA has looked at the travel sector, which has struggled with the implementation of SCA.
Last year, some travel experts estimated that the pandemic had set back their preparations for SCA by about six months.
One questioner asked the EBA whether SCA was required at the time of booking if that event occurs more than 90 days before a guest’s arrival, and whether the hotel in question is able to process the payment on the premises with an expired authentication token.
To this, the central bank explained that neither PSD2 nor related guidelines specified a timeframe for the validity of a piece of SCA that took place at the time when a payer initiated an electronic payment transaction.
Here, the EBA stated that PSD2 and the Delegated Regulation did not “restrict the possibility for SCA to be applied” more than 90 days in advance of a future-dated payment transaction.
Another questioner asked the EBA: “In the hotel industry, given that when a customer reserves a room, a payment is often not taken at this time, should an entity (intermediary, online travel agent or brand/hotel group) that collects payment details from a customer also facilitate strong customer authentication (SCA), regardless of when or by whom the actual payment transaction may be processed?
“If yes, should the customer be explicitly informed of the entities involved in order for their consent to be valid?”
The EBA notes that the payment service user should be aware of the payee (the hotel in this case). PSD2 and the Delegated Regulation do not specify how the interaction between the payee and parties (the intermediaries) acting on its behalf should take place.
The payer must give their consent to execute a payment transaction to the PSP, or through the payee or a provider of payment initiation services.
The EBA has also answered a question from Netherlands-based bank ING, which asked whether it was acceptable to use a company-level knowledge element, in combination with a personal possession element, to associate a user of a business application with personalised security credentials such as authentication software or a knowledge element.
Here, the banking watchdog stated that this is not acceptable.
"PSPs cannot use company level knowledge as a valid SCA element to associate the payment service user (PSU) with the PSC since it will not allow the PSP to verify unequivocally the identity of the PSU and to mitigate the risk that the knowledge element is disclosed to unauthorised parties. The provision of the knowledge element should be carried out based on procedures set out by the PSP.”
The EBA also clarified the status of SCA over the phone, stating that a telephone call is not valid according to PSD2 and the delegated legislation associated with it.
This was in reply to a question submitted to it in 2020, which noted that “during the pandemics, there is a high demand for the services not requiring to meet in presence”.
In another question, a Belgian-based association asked whether anyone ought to be allowed to handle a payer’s international bank account number (IBAN) in cleartext outside the inter-PSP environment.
For example, this could be a payer’s IBAN being contained in cleartext in a payer-presented QR code provided by the payer’s device to the merchant’s point of interaction (POI) for the initiation of an instant credit transfer.
Here, the EBA points to Article 4 of PSD2, which defines personalised security credentials as personalised features provided by the PSP to a payment service user for the purposes of authentication.
Therefore, since the IBAN is not an element used for the purpose of authentication, it cannot be considered as SCA.
In addition, as someone might use an IBAN’s disclosure to defraud someone, it is for the PSP in question to gauge the risks arising from the transmission of the IBAN in free text between the device of the payer and the POI and from storing it, if applicable.
In another question, submitted in 2020, someone asked the EU’s banking watchdog: “Where a PSP is providing financial services via a third party application – either through a Payment Initiation Services Provider (PISP), Account Information Service Provider (AISP) or by providing embedded financial products or banking as a service solutions (i.e. financial services via an Application Programming Interface (API)) — is it permitted for the PSP to delegate the application of 2-Factor Authentication (2FA) to the third party?”
Here, the EBA said that the PSP can delegate the application of SCA to AISPs, PISPs or other third parties, as long as the account servicing payment service provider complies with the requirements that the regulator has set out already.
