How can Strong Customer Authentication (SCA) be applied in an offline environment onboard an airplane when chip and pin cannot be verified with a Point of Sale (POS) device? Specifically, how is dynamic linking achieved in an offline mode for airlines who don't have internet connectivity but instead have a closed wireless network to be able to make purchases onboard an aircraft?
This question is on behalf of airline companies that offer passengers the ability to purchase goods inflight through their onboard intranet. There is no outbound internet connectivity, but rather an onboard network that allows passengers to use their personal devices to access the Airline's passenger portal and make purchases for drinks, movies, and services once they land i.e. car hires, hotels, tours etc. The problem we are coming across is when a passenger is about to check out while inflight, they will need a verification code sent to them via SMS or email. This is not feasible if the airplane does not have internet connection for the code to be sent to the passenger to verify the transaction. Additionally, the purchases cannot be verified with chip/PIN using a POS device because not all airlines have a POS device to process these payments.
Article 97(1)(b) of Directive 2015/2366/EU (PSD2) prescribes that the payment service provider (PSP) shall apply ‘strong customer authentication (SCA) where the payer initiates an electronic payment transaction’.
Therefore, in the case where the payer initiates an electronic card-based payment transaction at a Point of Sale (POS) in offline mode or through a remote channel (the internet), the issuer shall apply Strong Customer Authentication (SCA) to that transaction, unless an exemption from SCA applies in accordance with Articles 11– 18 of the Delegated Regulation (EU) 2018/389. Other exemptions from SCA to those specified within the Delegated Regulation are not available.
With regard to remote electronic transactions, Articles 4 and 5 of the Delegated Regulation also apply.
In that regard, the specific case described above with a closed wireless network that does not have internet connectivity and does not use a POS terminal, may not allow SCA to be applied.
In the case where the airplane is equipped with a POS terminal working in offline mode, the payer may be able to initiate an electronic card-based payment transaction and subsequently apply SCA. As clarified in Q&A 2018_4055, the PIN can be transmitted and verified offline, provided that it meets the requirements of Articles 6(1), 22(1) and 22(4) of the Delegated Regulation.