- Question ID
-
2019_4556
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
97
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
5
- Type of submitter
-
Other
- Subject matter
-
Definition of payee for dynamic linking
- Question
-
Article 5 of the RTS on strong customer authentication and secure communication requires the authentication code to be specific to the amount of the payment transaction and the payee.
Does it suffice to include a meaningful part of the identifier into the calculation of the authentication code? For instance, would it suffice to include only numeric characters of the IBAN in the calculation of the authentication code?
- Background on the question
-
This question regularly pops up in discussions about the practical implementation of strong customer authentication.
A payee can be identified in multiple ways, such as an International Bank Account Number (IBAN), phone number, name, etc. These identifiers often consist of a mix of alphanumeric characters (A-Z, 0-9). For instance, an IBAN often contains alphabetic characters.
Certain authentication devices (e.g. hardware tokens) only allow entry of numeric characters (0-9), and not alphabetic ones (A-Z). As a consequence, the authentication device cannot calculate the authentication code over the precise identifier (e.g. full IBAN).
- Submission date
- Final publishing date
-
- Final answer
-
Article 5(1) of the Delegated Regulation (EU) 2018/389 states that “where payment service providers apply strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/2366, in addition to the requirements of Article 4, they shall adopt security measures that meet each of the following requirements: a) the payer is made aware of the amount of the payment transaction and of the payee; b) the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction; c) the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer; d) any change to the amount or the payee results in the invalidation of the authentication code generated”.
In that regard, the authentication code shall be specific to the payee(s) agreed to by the payer. However, the Delegated Regulation does not specify how the payee should be identified for the purpose of the dynamic linking requirements in Article 5, which can be, for instance, through the IBAN (or a similar type of unique identifier).
In relation to the above, it would be sufficient to include a meaningful part of the IBAN (or a similar type of unique identifier), or none at all, in the authentication code, provided that the requirements in Article 5(1) of the Delegated Regulation are met.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.