2019_4740 Compliance with SCA in offline mode on an aircraft without internet connection

Question ID: 2019_4740
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 97
Paragraph: 1
Subparagraph: b
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 5
Name of institution / submitter: Panasonic Avionics/Lauren Walson
Country of incorporation / residence: United States
Type of submitter: Other
Subject matter: Compliance with SCA in offline mode on an aircraft without internet connection
Question: How can Strong Customer Authentication (SCA) be applied in an offline environment onboard an airplane when chip and pin cannot be verified with a Point of Sale (POS) device? Specifically, how is dynamic linking achieved in an offline mode for airlines who don't have internet connectivity but instead have a closed wireless network to be able to make purchases onboard an aircraft?
Background on the question: This question is on behalf of airline companies that offer passengers the ability to purchase goods inflight through their onboard intranet. There is no outbound internet connectivity, but rather an onboard network that allows passengers to use their personal devices to access the Airline's passenger portal and make purchases for drinks, movies, and services once they land i.e. car hires, hotels, tours etc. The problem we are coming across is when a passenger is about to check out while inflight, they will need a verification code sent to them via SMS or email. This is not feasible if the airplane does not have internet connection for the code to be sent to the passenger to verify the transaction. Additionally, the purchases cannot be verified with chip/PIN using a POS device because not all airlines have a POS device to process these payments.
Submission date: 24/05/2019
Final publishing date: 06/12/2019
Final answer: Article 97(1)(b) of Directive 2015/2366/EU (PSD2) prescribes that the payment service provider (PSP) shall apply ‘strong customer authentication (SCA) where the payer initiates an electronic payment transaction’.
Therefore, in the case where the payer initiates an electronic card-based payment transaction at a Point of Sale (POS) in offline mode or through a remote channel (the internet), the issuer shall apply Strong Customer Authentication (SCA) to that transaction, unless an exemption from SCA applies in accordance with Articles 11– 18 of the Delegated Regulation (EU) 2018/389. Other exemptions from SCA to those specified within the Delegated Regulation are not available.
With regard to remote electronic transactions, Articles 4 and 5 of the Delegated Regulation also apply.
In that regard, the specific case described above with a closed wireless network that does not have internet connectivity and does not use a POS terminal, may not allow SCA to be applied.
In the case where the airplane is equipped with a POS terminal working in offline mode, the payer may be able to initiate an electronic card-based payment transaction and subsequently apply SCA. As clarified in Q&A 2018_4055, the PIN can be transmitted and verified offline, provided that it meets the requirements of Articles 6(1), 22(1) and 22(4) of the Delegated Regulation.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer