2019_4797 Merchant IDs and SCA | European Banking Authority

Question ID: 2019_4797
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 1
Type of submitter: Industry association
Subject matter: Merchant IDs and SCA
Question: In the situation where Strong Consumer Authentication (SCA) was completed at the time of completing a hotel booking by an Online Travel Agent (OTA) or hotelbrand.com under their Merchant ID but the actual payment will take place at the time of arrival: will the SCA authentication token remain valid for the hotel (merchant) making the charges and its respective Merchant ID?
Background on the question: In the hotel industry, there is a high degree of intermediation between the hotel (merchant) and guest (customer) through Online Travel Agents (OTAs such as Booking.com), franchisor booking channels (such as hotelbrand.com, or global distribution systems (such as Sabre). At the same time, these channels may have a diversity of Merchant-IDs (MIDs) different than that of the hotel.
Submission date: 19/06/2019
Final publishing date: 05/11/2021
Final answer: Article 97(1)(b) of Directive 2015/2366/EU (PSD2) prescribes that payment service providers (PSPs) shall apply strong customer authentication (SCA) where the payer initiates an electronic payment transaction.

Q&A 2019_4795 clarified that ‘PSD2 and the Delegated Regulation (EU) 2018/389 do not specify a timeframe for the validity of SCA applied at the time when a payer initiates an electronic payment transaction’.

Accordingly, the SCA applied at the time of the booking shall allow the future-dated payment transaction to be executed.

Article 97(2) of PSD2 states that for electronic remote payment transactions, PSPs shall apply SCA that includes elements which dynamically link the transaction to a specific amount and a specific payee.

Article 5(1)(a) and (c) of the Commission Delegated Regulation (EU) 2018/389 states that where PSPs apply SCA in accordance with Article 97(2) of PSD2, ‘the payer is made aware of the amount of the payment transaction and of the payee’ and ‘the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer’.

Accordingly, the payment information displayed to the payer during the authentication shall include the payee (the hotel in the case described by the submitter). The authentication code shall be specific to the same payee, agreed to by the payer. If the payee and the specific amount do not change, the authentication code shall remain valid.

PSD2 and the Delegated Regulation do not require the payer to be made aware of third parties that are different from the payee, including intermediaries acting on behalf of the payee.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer