Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Type of submitter:
Subject Matter:
Exemption for secure corporate payment processes and protocols

May lodged and virtual cards benefit from the exemption for secure corporate payment processes and protocols under Article 17 RTS?

Background on the question:
Pursuant to Article 17 of Regulation (EU) 2018/389 (RTS on strong customer authentication and secure communication), SCA is not required for secure corporate payments as long as the following conditions are met:
- Dedicated payment processes or protocols are used;
- The dedicated processes or protocols are only made available to payers who are not consumers;
- National competent authorities are satisfied that dedicated corporate processes and protocols are sufficiently secure.
As outlined by the EBA, there is a risk that national authorities’ decisions “may diverge, leading to a lack of harmonisation and cases where a given protocol is pre-approved in one Member State but not in another” (page 6 of the EBA’s formal Opinion of June 2017 on the EC’s draft RTS).
We therefore believe that the EBA should clarify the criteria for corporate payment processes and protocols being considered sufficiently secure. This would ease the assessment of national authorities.
In this regard, the RTS say that the test for the application of the exemption will be if corporate processes and protocols “achieve the objectives of Directive (EU) 2015/2366 in terms of security” (Recital 13 RTS).
We believe that lodged and virtual cards will benefit from the exemption under Article 17 RTS for the following reasons:
1. Corporate use only
In the corporate travel management industry, lodged and virtual cards are strictly used by corporate travelers for B2B transactions in a controlled corporate environment. Hence, lodged and virtual cards are exclusively available to payers who are not consumers.
Lodged cards are “lodged” securely with a company-approved supplier or third-party responsible for facilitating business expenses to be booked and paid for repeatedly. In most cases, a company’s card will be lodged with a corporate travel management company tasked with booking business trips on behalf of the company’s employees and paying for such bookings with a merchant, for example, an airline. In a broader context, such products can be transmitted and stored with a supplier, such as an office supplies company, which then regularly processes payments upon company approval of the supplier’s invoices.
In the case of virtual cards, only designated and authorized individual users acting on behalf of a company e.g. employee or assistant or corporate traveler, can generate a virtual card number, comprising sixteen digits, an expiry date and security code to enable transactions made at company level. No individual holds a virtual card on behalf of a company and no personal details of the card user are linked to the product. A virtual card is solely used for the pre-defined transactions for which it was generated and can therefore only be re-used on a limited number of occasions as established by the corporate traveler's company. In addition, specific controls can be set by the corporate traveler's company for individual virtual cards, such as transaction value, validity period and merchant type, to name but a few features. Creating a payment using a virtual card occurs within a secure and controlled environment, typically via a secure two-factor-authentication process.
2. Very low fraud rates
Fraud rates on virtual card and lodged card usage are low, for example, MasterCard fraud rates on virtual cards usage of 0.001%, 0.0003%, 0.003% for 2014, 2015 and 2016 respectively, underscores how safe the controlled environment in which they are used is.
3. Corporate transactions use “dedicated payment processes or protocols”
“Dedicated processes and protocols” are in place when using lodged and virtual cards, as required by Article 17. These processes or protocols serve to safeguard levels of security in line with those required by PSD2.
When generating virtual cards, for example, the party making the booking must typically authenticate themselves with SCA. Furthermore, those capable of making such a booking are limited to a select few individuals working, for instance, in a company travel department or as personal assistants. Alternatively, virtual cards are automatically generated via API to support payment for bookings made by travelers via a password-protected online booking tool. Similarly, in the case of lodged cards, the card number is only available to a restricted number of individuals and held in a password-protected, PCI compliant system.
Conversely, we believe SCA should apply when a commercial card is used by an employee him/herself at a public website for the purchase of equivalent goods or services (such as travel or accommodation) as this transaction does not use a secure dedicated payment process and protocol.
Date of submission:
Published as Final Q&A:
EBA Answer:

Article 17 of the Commission Delegated Regulation (EU) 2018/389 states that the payment service providers (PSPs) “shall be allowed not to apply strong customer authentication” for electronic payment transactions initiated by a legal person “through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers” provided that the competent authorities are satisfied that the levels of security are “at least equivalent” to those provided for by PSD2.

Article 17 refers to ‘dedicated payment processes or protocols’ and does not limit the exemption to a given payment instruments.

Therefore, PSPs may choose to apply the Article 17 exemption to electronic payment transactions initiated using a card payment, provided that the card payment is “only available to payers who are not consumers” and the competent authority is satisfied that the security levels of the dedicated payment processes and protocols used are “at least equivalent” to those provided for by PSD2 before the PSP uses the exemption. In addition, and as stated in page 9, table 2, of the EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication and common and secure communication, EBA-Op-2018-04, only the payer’s PSP may decide on the application of this exemption.

Final Q&A