Question ID:
2018_4036
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
11
Type of submitter:
Other
Subject Matter:
Application of the low-value contactless exemption – Calculation of limits at Primary Account Number (PAN) / account level or at device / token level
Question:

May the counters for the application of the low-value contactless exemption be calculated at device/token level?

Background on the question:

The requirements for the application of the exemption for low-value contactless transactions set out in Article 11 pose some significant technical challenges for the entire EU card payments industry.

If these exemptions were to be managed at the account level (rather than the device level), this would not adequately take into account that the same payment card can be used as a plastic card or it can be registered in one or more digital/mobile wallet(s) and/or devices (e.g. smartwatches and wristbands).  In other words, multiple devices could be linked to the same card account.  Additionally, more than one physical card can be linked to a single account (e.g. additional card on an account for the cardholder’s spouse).

As regards contactless transactions, the text of the RTS states that the cumulative limits of 5 transactions / 150 EUR without SCA for the application of the exemption for low-value contactless transactions must be calculated per ‘payment instrument with a contactless functionality’ (Article 11(b) and (c) of the RTS). The PSD2 defines a ‘payment instrument’ as a 'personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order’ (Article 4(14) PSD2).

The text of the RTS states that the cumulative limits of 5 transactions / 150 EUR without SCA for the application of the exemption for low-value contactless transactions must be calculated per ‘payment instrument with a contactless functionality’ (Article 11(b) and (c) of the RTS). The PSD2 defines a ‘payment instrument’ as a 'personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order’ (Article 4(14) PSD2).

The issue is therefore whether the ‘payment instrument’ is the card account or the device that is used to pay (e.g. the smartphone where a digitized/tokenized card is registered).  We believe that the ‘payment instrument’ in this case is not the card account but the device that is used to pay.  Thus, the cumulative limits should be calculated at device level (and not at card account/PAN level). 

This is because the card account does not qualify as a ‘payment instrument’ in this case but as a 'payment account' under the PSD2.  The plastic card and the digitized card registered in a mobile wallet are the different ‘payment instruments’ through which funds may be transferred or withdrawn.

The difference between ‘payment account’ and 'payment instrument’ becomes clearer if we consider the functioning of bank accounts.  A bank account is a ‘payment account’ that may be linked to different ‘payment instruments’ (e.g., direct debits, credit transfers).  The transactions with these ‘payment instruments’ are all debited to the same bank account.

Similarly, a card account is a ‘payment account’ that may be linked to different payment instruments (e.g., the plastic card and the digitized card registered in a mobile wallet).  The transactions with these instruments are all debited on the same card account.  In this case, the card account itself does not qualify as a ‘payment instrument’, but as a ‘payment account’ from which funds may be used through different ‘payment instruments’, i.e., devices.

There are other practical reasons why the exemption should apply at device level.  When a card is registered in one or more mobile wallet(s), the PAN is tokenized.  The tokenised PAN is unique for each wallet and each tokenised PAN is completely independent from another.

If the limits for the application of the exemption are managed at the account level, this implies that performing SCA on any device would reset the counter/accumulator.  This would have the effect of allowing lost or stolen devices to be used if the owner is not aware of the loss and continues to use other devices and perform SCA.  This appears to be a weakening rather than a strengthening of security.

In addition, there is no common and widespread payment solution in the industry that allows issuers to effectively monitor and control at the same time the cumulative number and value of contactless transactions across (1) multiple devices, (2) offline and online contactless transactions and (3) different EEA currencies.

The design, development and massive roll-out of such new solutions will be a long and costly process. It will require a replacement cycle of most cards and terminals, as well as significant investments from all the players involved in the payments value chain.

The low levels of fraud for contactless transactions show that contactless payments are today already sufficiently secure. We should not overburden a convenient experience for low-value payments with requirements that are lengthy to implement and whose costs outweigh the benefits.

For these reasons, we believe that the counters for the application of the exemptions for low-value contactless and remote transactions should be calculated at device/token level. This interpretation would achieve a great level of security and convenience for customers.

Date of submission:
28/06/2018
Published as Final Q&A:
11/10/2019
EBA Answer:

Article 4(14) of PSD2 defines payment instrument as ‘means a personalised device(s) and/or set of procedures agreed between the payment service user and the payment service provider and used in order to initiate a payment order’.

Article 11 of the Commission Delegated Regulation (EU) 2018/389 applies to contactless electronic payment transactions initiated by means of a payment instrument with contactless functionality. Therefore, the calculation of the limits under Article 11 of the Delegated Regulation should be done for each payment instrument with a contactless functionality. If the contactless functionality is offered by different means, the counter should be calculated separately.

This means that the calculation of the limits under Article 11 will apply separately for contactless payment transactions initiated with a physical payment card and for contactless payment transactions initiated with a digitised version of the payment card based on a payment token, even if both are linked to the same underlying payment account.

Status:
Final Q&A