Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2
Go back
Article 8(1)(b) states that the exemption applies where the payer initiates a contactless electronic payment transaction at a point of sale and the cumulative amount of previous non-remote electronic payment transactions initiated via the payment instrument offering a contactless functionality without application of strong customer authentication does not exceed €150. We think that this €150 limit should be for a set period of time, for example one day or one week. If there is no limit of time then the exemption will become meaningless quickly for a lot of payers.
Article 8(2)(d)(ii) states that the exemption applies where the payer initiates a remote electronic payment transaction where ...the individual amount does not exceed €10 and the cumulative amount of previous electronic payments transactions initialed by the payer without the application of strong customer authentication does not exceed €100. We think that the €100 limit should be reset after a certain period of time. If the €100 limit was cumulative and applied forever the exemption would become meaningless quickly for a lot of payers.
It would be useful to have a definition of electronic payment transaction. Does this definition include the PSP making the payment transaction when the instruction comes through an email or telephone. If so, what constitutes a non-electronic payment transaction.
Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?
Yes.Question 2: In particular, in relation to the “dynamic linking” procedure, do you agree with the EBA’s reasoning that the requirements should remain neutral as to when the “dynamic linking” should take place, under the conditions that the channel, mobile application, or device where the information about the amount and the payee of the transaction is displayed is independent or segregated from the channel, mobile application or device used for initiating the payment, as foreseen in Article 2.2 of the draft RTS.
Yes.Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?
No.Question 4: Do you agree with the EBA’s reasoning on the exemptions from the application of Article 97 on strong customer authentication and on security measures, and the resultant provisions proposed in Chapter 2 of the draft RTS?
We agree with the reasoning.Article 8(1)(b) states that the exemption applies where the payer initiates a contactless electronic payment transaction at a point of sale and the cumulative amount of previous non-remote electronic payment transactions initiated via the payment instrument offering a contactless functionality without application of strong customer authentication does not exceed €150. We think that this €150 limit should be for a set period of time, for example one day or one week. If there is no limit of time then the exemption will become meaningless quickly for a lot of payers.
Article 8(2)(d)(ii) states that the exemption applies where the payer initiates a remote electronic payment transaction where ...the individual amount does not exceed €10 and the cumulative amount of previous electronic payments transactions initialed by the payer without the application of strong customer authentication does not exceed €100. We think that the €100 limit should be reset after a certain period of time. If the €100 limit was cumulative and applied forever the exemption would become meaningless quickly for a lot of payers.
It would be useful to have a definition of electronic payment transaction. Does this definition include the PSP making the payment transaction when the instruction comes through an email or telephone. If so, what constitutes a non-electronic payment transaction.