Do failed authentications or declined transactions increase the counters of cumulative amount or number of hits?
Article 16 states that Payment service providers shall be allowed not to apply strong customer authentication, where the payer initiates a remote electronic payment transaction provided that the following conditions are met:
(a) the amount of the remote electronic payment transaction does not exceed EUR 30; and
(b) the cumulative amount of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed EUR 100; or
(c) the number of previous remote electronic payment transactions initiated by the payer since the last application of strong customer authentication does not exceed 5 consecutive individual remote electronic payment transactions.
The question is if for example a specific Payment Services User (PSU) keeps getting declined, assuming it’s a fraudster, does it effect the sensors mentioned above? This will have impact on genuine user due to exceeding the thresholds defined by this article. We would like to know if only successfully completed transactions effects these counters.
Article 16 of the Delegated Regulation (EU) 2018/389 refers to the counting of low-value remote electronic payment transactions that have been successfully initiated. Accordingly, Article 16(a) specifies an individual transaction limit of €30 and Article 16(b) refers to the cumulative amount of the low-value remote electronic payment transaction that have been successfully initiated. In addition, when counting the number of consecutive individual remote electronic payment transactions for the purpose of Article 16(c), only those transactions that have been successfully initiated, need to be included.
However, if a payment service provider (PSP) wishes to include all authorised transactions, regardless of whether they have been successfully initiated or not, it is not prevented from so doing.
Q&A 2018_4230 addressed this question from the perspective of the exemption from strong customer authentication (SCA) under Article 11 of the Delegated Regulation.