.svg)
The EU’s banking watchdog’s new Q&As clarify strong customer authentication (SCA) requirements, encryption standards and combined account and payment journeys under the second Payment Services Directive (PSD2).
The Q&As provide guidance for relevant parties on how SCA and secure communication requirements under PSD2 apply in specific technical scenarios.
Topics covered include emergency use of software point-of-sale (SoftPOS) terminals, encryption standards for APIs, and authentication in combined account information and payment initiation journeys.
SoftPOS emergency use case rejected
In a response to a question from industry stakeholders, the European Banking Authority (EBA) confirmed that payment service providers (PSPs) must apply SCA for payments at SoftPOS terminals, even during emergencies, including cyberattacks or system disruptions.
The authority stressed that only exemptions specified in Commission Delegated Regulation (EU) 2018/389 apply, and no “emergency exemption” exists.
Although it acknowledged that contactless-only SoftPOS terminals cannot support offline PIN authentication, the EBA noted that offline PIN can be transmitted and verified if regulatory requirements are met.
This clarification coincides with moves by Denmark and other EU states to mandate offline processing for all payment solutions, raising challenges for SoftPOS developers reliant on online connectivity.
The EBA’s rejection of an “emergency exemption” for SoftPOS terminals presents significant challenges for providers and merchants. As SoftPOS relies on contactless transactions and typically cannot support offline PIN, EU mandates for offline processing could increase compliance pressure on vendors such as Ingenico and acquirers including Worldline, Nexi, Adyen, SumUp, Stripe and Fiserv.
Card schemes such as Visa and Mastercard, which back SoftPOS rollouts, may also need to revisit scheme rules, and for merchants, particularly SMEs adopting SoftPOS as a low-cost alternative to traditional terminals.
The EBA’s ruling raises the risk of transaction failures during connectivity disruptions, potentially requiring backup hardware.
The regulator’s determination that SoftPOS is subject to the same strict SCA regime as traditional POS could slow adoption across Europe unless vendors find a way to support secure offline PIN.
Encryption techniques
In another response to a Q&A submitted by a national competent authority, the EBA addressed whether account servicing PSPs (ASPSPs) must support all strong and widely recognised encryption techniques, such as Rivest–Shamir–Adleman (RSA) and elliptic curve cryptography (ECC), for secure API communication.
The EBA confirmed that ASPSPs are not required to provide every recognised technique. Instead, they may specify in their API documentation which encryption method they support, provided it meets the regulatory requirements under Article 35 of the RTS on SCA and common and secure communication (CSC).
The clarification follows complaints that some banks’ refusal to support ECC certificates had led to API call failures.
In its Q&A, the EU’s banking regulator came down on the side of banks, easing the technical burden on ASPSPs but also raising interoperability challenges for third parties.
The decision allows banks to standardise and reduce costs, but it risks fragmenting the market.
Aggregators and third-party providers (TPPs) such as Tink (Visa), TrueLayer, Plaid and Yapily are among those most directly affected, as they must ensure compatibility with each ASPSP’s implementation.
The EBA’s decision could ultimately favour larger players that can allocate greater resources to technical integration. Smaller firms face higher complexity in maintaining consistent and smooth connectivity across multiple banking APIs.
Combined AIS/PIS journeys
A third Q&A published by the EBA dealt with the treatment of customers using account information service providers (AISPs) and Payment Initiation Service Providers (PISPs) together in a single “combined journey.”
The EBA confirmed that requiring two separate SCAs, one for granting account access and another for initiating a payment, does not automatically constitute an obstacle under PSD2 rules, even if customers face only a single SCA when transacting directly via their bank’s interface.
However, the regulator emphasised that if an ASPSP allows reuse of one SCA factor in its own channel, it should in principle also extend this to TPP journeys, unless technical or security reasons justify otherwise. Where a PISP transmits all required payment details, only one SCA should be required.
This Q&A takes the opposite position to the one on encryption techniques, as in comparison, it benefits fintechs and TPPs rather than retail banks.
The clarification could prompt EU banks to ensure parity between direct and third-party channels, benefiting open banking firms by reducing friction for end-users.
Overall, the guidance signals a move towards more consistent and user-friendly authentication standards across the EU’s open banking ecosystem, long advocated by trade associations.
Implications and market impact
The EBA’s latest Q&As highlight a careful balancing act between regulatory rigor and technical feasibility.
On SoftPOS, the insistence on full SCA, even in emergencies, could slow adoption and force vendors to engineer offline authentication, potentially favouring larger providers with the resources to comply.
In contrast, the guidance on encryption standards reduces the technical burden on banks but risks market fragmentation, as TPPs must adapt to varying approaches across ASPSPs.
Finally, the combined AIS/PIS guidance favours open banking players by promoting parity with direct bank channels, encouraging smoother end-user experiences.
Collectively, these clarifications underline the EBA’s aim to enhance payment security while gradually shaping a more interoperable, user-friendly European payments ecosystem.
