Question ID:
2018_4399
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Fraud reporting
Article:
96
Paragraph:
6
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
EBA/GL/2018/05 - EBA Guidelines on fraud reporting under PSD2 (amended by EBA/GL/2020/01)
Article/Paragraph:
Guideline 7 / 7.12
Disclose name of institution / entity:
No
Type of submitter:
Other
Subject Matter:
Electronic chip transactions authenticated with a hand signature
Question:

As a Payment Service Provider (PSP) acquirer, how should we report the German chip + signature transactions in the “EBA fraud report under PSD2” given the fact this kind of transactions are non-Strong Customer Authentication (SCA) and do not fall under any allowed exemption?

Background on the question:

Even after the 14/09/2019, acquirer PSPs will still acquire non-SCA transactions made with German chip cards, authenticated by the cardholder signing the terminal voucher. This is due to the fact that German issuers are still migrating from Chip+signature to Chip+PIN, but the migration will still be in progress after 14/09/2019.

The German laws consider electronic chip transactions authenticated with a hand signature as paper-based, non-electronic, in opposition to the definition of an electronic transaction according to the RTS/PSD2. Therefore German PSP’s will report their transactions to EBA as paper-based non-electronic.

Please clarify whether acquirers based in another EEA country than Germany should align on the German law or on the RTS/PSD2 to classify these chip & signature transactions.

In the case of PSP are requested to follow the RTS/PSD2, we will face the issue of not being able to classify these non-SCA transactions in any category of the “EBA fraud report under PSD2” as they do not match any allowed exemptions.

More information about the German law on http://dip.bundestag.de/btd/18/125/1812568.pdf

Die Koalitionsfraktionen der CDU/CSU und SPD betonten, dass mit der Zweiten Zahlungsdiensterichtlinie für bestimmte Vorgänge im Zahlungsverkehr eine starke Kundenauthentifizierung vorgeschrieben werde. Diese gelte etwa dann, wenn der Zahler einen elektronischen Zahlungsvorgang auslöse, d. h. die Zustimmung zum Zahlungsvorgang elektronisch erfolge. Nicht von dieser Vorschrift erfasst würden Zahlungsvorgänge, die schriftlich oder telefonisch ausgelöst würden, zum Beispiel mit Unterschrift ausgelöste Kreditkartenzahlungen am Point of SaleTerminal.

Date of submission:
03/12/2018
Published as Final Q&A:
24/07/2020
EBA Answer:

Q&A 2018_4031 clarified that card-based payment transactions are subject to the requirement in Article 97(1)(b) of Directive 2015/2366 (PSD2) to apply strong customer authentication (SCA). In addition, Q&A 2018_4108 clarified that card-based electronic payment transactions that require the signature of the payer at the point of sale for authorisation or authentication fall under the scope of Article 97(1)(b) PSD2. Therefore, card-based electronic payment transactions where a signature of the payer at the point of sale is used are subject to SCA according to Article 97(1)(b) PSD2.

In accordance with Guidelines 2.11, 7.11 and 7.12 of the EBA Guidelines on fraud reporting under PSD2 (EBA/GL/2018/05) as amended by the EBA Guidelines EBA/GL/2020/01, card payments should be reported both by the payer’s payment service provider (PSP) (the issuer), and by the payee’s PSP acquiring the payment transaction (the acquirer) as follows:

  • from the issuer’s perspective, under the Data Breakdown C in Annex 2 of the Guidelines; and
  • from the acquirer’s perspective, under the Data Breakdown D in Annex 2 of the Guidelines.

From the acquirer’s perspective, card-based electronic payment transactions to which SCA is applied should be reported in accordance with Data Breakdown D in Annex 2 of the Guidelines, under the category 4.2.1.2 (“Of which authenticated via strong customer authentication), or, as applicable, 4.2.2.2 (“Of which Authenticated via strong customer authentication”).

Status:
Final Q&A