Single Rulebook Q&A

Question ID: 2018_4400
Legal act : Directive 2015/2366/EU (PSD2)
Topic : Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: b
COM Delegated or Implementing Acts/RTS/ITS/GLs: Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication
Article/Paragraph : 17
Type of submitter: Credit institution
Subject matter : Secure corporate payment processes and protocols
Question:

Are USB drives (containing a certificate) used only by corporate clients compatible with RTS requirements?

Can USB drives be considered as payment processes exempted from strong customer authentication ?

Background on the question:

Article 17 of the RTS on strong customer authentication and common secure communication creates an exemption from strong customer authentication based on the Secure corporate payment processes and protocols.

PSPs are allowed not to apply SCA, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers.

The question arises because there is no dynamic link (mandatory according to Article 5 of the RTS) in this process.

An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.

In our bank, the certificate (hosted in a USB key) is intended exclusively for a payers who are not consumers.

Date of submission: 04/12/2018
Published as Final Q&A: 14/06/2019
EBA answer:

Article 17 of the Commission Delegated Regulation (EU) 2018/389 states that “Payment service providers shall be allowed not to apply strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers, where the competent authorities are satisfied that those processes or protocols guarantee at least equivalent levels of security to those provided [in PSD2]”. This article refers to “the use of dedicated payment processes or protocols” to “initiate electronic payment transactions” but does not refer to a process used to carry out a specific element that may be required for the purpose of payment initiation, such as the authentication of the payment service user, for instance using an USB certificate.

 

Status: Final Q&A
Permanent link: link