Question ID:
2019_4740
Legal Act:
Directive 2015/2366/EU (PSD2)
Topic:
Strong customer authentication and common and secure communication (incl. access)
Article:
97
Paragraph:
1
Subparagraph:
b
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph:
5
Disclose name of institution / entity:
Yes
Name of institution / submitter:
Panasonic Avionics/Lauren Walson
Country of incorporation / residence:
United States
Type of submitter:
Other
Subject Matter:
Compliance with SCA in offline mode on an aircraft without internet connection
Question:

How can Strong Customer Authentication (SCA) be applied in an offline environment onboard an airplane when chip and pin cannot be verified with a Point of Sale (POS) device? Specifically, how is dynamic linking achieved in an offline mode for airlines who don't have internet connectivity but instead have a closed wireless network to be able to make purchases onboard an aircraft?

Background on the question:

This question is on behalf of airline companies that offer passengers the ability to purchase goods inflight through their onboard intranet. There is no outbound internet connectivity, but rather an onboard network that allows passengers to use their personal devices to access the Airline's passenger portal and make purchases for drinks, movies, and services once they land i.e. car hires, hotels, tours etc. The problem we are coming across is when a passenger is about to check out while inflight, they will need a verification code sent to them via SMS or email. This is not feasible if the airplane does not have internet connection for the code to be sent to the passenger to verify the transaction. Additionally, the purchases cannot be verified with chip/PIN using a POS device because not all airlines have a POS device to process these payments. 

Date of submission:
24/05/2019
Published as Final Q&A:
06/12/2019
EBA Answer:

Article 97(1)(b) of Directive 2015/2366/EU (PSD2) prescribes that the payment service provider (PSP) shall apply ‘strong customer authentication (SCA) where the payer initiates an electronic payment transaction’.

Therefore, in the case where the payer initiates an electronic card-based payment transaction at a Point of Sale (POS) in offline mode or through a remote channel (the internet), the issuer shall apply Strong Customer Authentication (SCA) to that transaction, unless an exemption from  SCA  applies  in  accordance  with  Articles 11– 18 of the Delegated  Regulation  (EU) 2018/389. Other exemptions from SCA to those specified within the Delegated Regulation are not available.

With regard to remote electronic transactions, Articles 4 and 5 of the Delegated Regulation also apply.

In that regard, the specific case described above with a closed wireless network that does not have internet connectivity and does not use a POS terminal, may not allow SCA to be applied.

In the case where the airplane is equipped with a POS terminal working in offline mode, the payer may be able to initiate an electronic card-based payment transaction and subsequently apply SCA. As clarified in Q&A 2018_4055, the PIN can be transmitted and verified offline, provided that it meets the requirements of Articles 6(1), 22(1) and 22(4) of the Delegated Regulation.

Status:
Final Q&A