Single Rulebook Q&A

Question ID: 2018_4038
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 97
Paragraph:
Subparagraph:
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : Art. 11
Type of submitter: Other
Subject matter : Applicability of the low-value contactless exemption to contactless-only devices
Question:

For contactless-only devices that (1) do not have a contact interface and (2) do not support on-device authentication, may the counters for the application of the low-value contactless exemption be reset through an out-of-band mechanism such as a mobile phone application?

Background on the question:

Some contactless devices (such as, for example, stickers and certain smartwatches) do not have a contact interface and do not support on-device customer authentication. With these devices, the user cannot perform contact transactions with SCA or use on-device SCA to reset the counters for the application of the low-value contactless exemption under Article 11 RTS. Issuers may therefore need to support an out-of-band mechanism that allows the user to perform SCA when the limits of EUR 150 or 5 transactions without SCA are exceeded.

We believe that a suitable mobile phone app or a functionality embedded within the issuer’s mobile banking app or online banking would allow issuers to apply SCA so that the counters are reset.

Date of submission: 28/06/2018
Published as Final Q&A: 11/01/2019
EBA answer:

Article 11 of the Commission Delegated Regulation (EU) 2018/389 (RTS on Strong customer authentication and secure communication) does not define a technical method on how the counter be reset or what device or terminal to use when performing strong customer authentication (SCA).

However, Article 11 envisages two different limits, i.e. either a cumulative monetary amount or a maximum number of transactions to be met until SCA should be applied again. The requirement for payment service providers, as highlighted in paragraph 43 of the EBA Opinion on the implementation of the RTS on SCA and secure communication is to have a counter in place and to perform SCA every time the threshold has been reached, provided that such method complies with the requirements on SCA laid out in this Delegated Regulation, and in particular Articles 4 to 9.

Consequently, a reset of these two limits could be effected only by an SCA that is performed with the actual payment instrument to which the exemption should apply, regardless of whether this instrument is contactless or not. This means that any out-of-band solution would need to be performed with the payment initiation through a given payment instrument. This follows from the objective of the two limits being to prevent a payment instrument with a contactless functionality that is lost or stolen, being used indefinitely. In the specific case described, this means that the out-of-band mechanism would need to enable the subsequent payment initiation that requires SCA once the limit has been reached; the mechanism could not operate independently from the payment initiation itself.

 

Status: Final Q&A
Permanent link: link