- Question ID
-
2019_4776
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
Article 5
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Not applicable
- Article/Paragraph
-
Article 5
- Type of submitter
-
Competent authority
- Subject matter
-
More than one transaction from a single consumer initiated transaction
- Question
-
When a consumer elects to add an additional item to their purchase at the time of checkout (a cross sale) they are making two purchases from two different merchants in a single session. Is SCA required for both of these transactions? This would make the user experience very clumsy and awkward as the consumer would have to go through SCA twice in a row during a single checkout.
- Background on the question
-
Article 5 Dynamic linking 1. Where payment service providers apply strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/2366, in addition to the requirements of Article 4 of this Regulation, they shall also adopt security measures that meet each of the following requirements: (a) the payer is made aware of the amount of the payment transaction and of the payee; (b) the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction; (c) the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer; (d) any change to the amount or the payee results in the invalidation of the authentication code generated.
- Submission date
- Final publishing date
-
- Final answer
-
According to Article 97(1), point (b), of Directive 2015/2366/EU (PSD2), payment service providers shall apply strong customer authentication (SCA) where the payer initiates an electronic payment transaction.
In case of a so-called ‘cross-sale’ as described by the submitter, if a payer is requested to initiate two separate payment transactions, then two SCAs are required. If the second purchase would qualify as a merchant initiated transaction (MIT) SCA would be required to set up the mandate for the MIT.
The scenario described by the submitter does not explicitly specify whether there are two distinct purchasing acts or two purchases that fall in the same basket. In the case of a single basket resulting in a batch payment “the authentication code shall be specific to the total amount of the batch of payment transactions and to the specified payees” (Article 5(3), point (b), of Commission Delegated Regulation (EU) 2018/389, RTS on SCA and CSC).
Please refer to Q&A 2018_4415 for a more detailed information on dynamic linking for batch transactions
Disclaimer:
The answers clarify provisions already contained in the applicable legislation. They do not extend in any way the rights and obligations deriving from such legislation nor do they introduce any additional requirements for the concerned operators and competent authorities. The answers are merely intended to assist natural or legal persons, including competent authorities and Union institutions and bodies in clarifying the application or implementation of the relevant legal provisions. Only the Court of Justice of the European Union is competent to authoritatively interpret Union law. The views expressed in the internal Commission Decision cannot prejudge the position that the European Commission might take before the Union and national courts.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the European Commission because it is a matter of interpretation of Union law.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.