2018_4400 Secure corporate payment processes and protocols

Question ID: 2018_4400
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 98
Paragraph: 1
Subparagraph: b
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 17
Type of submitter: Credit institution
Subject matter: Secure corporate payment processes and protocols
Question: Are USB drives (containing a certificate) used only by corporate clients compatible with RTS requirements?
Can USB drives be considered as payment processes exempted from strong customer authentication ?
Background on the question: Article 17 of the RTS on strong customer authentication and common secure communication creates an exemption from strong customer authentication based on the Secure corporate payment processes and protocols.
PSPs are allowed not to apply SCA, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers.
The question arises because there is no dynamic link (mandatory according to Article 5 of the RTS) in this process.
An X.509 certificate is a digital certificate that uses the widely accepted international X.509 public key infrastructure (PKI) standard to verify that a public key belongs to the user, computer or service identity contained within the certificate.
In our bank, the certificate (hosted in a USB key) is intended exclusively for a payers who are not consumers.
Submission date: 04/12/2018
Final publishing date: 14/06/2019
Final answer: Article 17 of the Commission Delegated Regulation (EU) 2018/389 states that “Payment service providers shall be allowed not to apply strong customer authentication, in respect of legal persons initiating electronic payment transactions through the use of dedicated payment processes or protocols that are only made available to payers who are not consumers, where the competent authorities are satisfied that those processes or protocols guarantee at least equivalent levels of security to those provided [in PSD2]”. This article refers to “the use of dedicated payment processes or protocols” to “initiate electronic payment transactions” but does not refer to a process used to carry out a specific element that may be required for the purpose of payment initiation, such as the authentication of the payment service user, for instance using an USB certificate.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer