Question ID
2021_6298
Legal act
Directive 2015/2366/EU (PSD2)
Topic
Strong customer authentication and common and secure communication (incl. access)
Article
6
Paragraph
1
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
Not applicable
Article/Paragraph
N/A
Name of institution / submitter
Multi-Stakeholder Group Mobile initiated SEPA (Instant) Credit Transfers
Country of incorporation / residence
Belgium
Type of submitter
Industry association
Subject matter
Clarification on the protection requirements of a CustomerID when included in a payer-presented QR-code for the initiation of (instant) credit transfers at the Point of Interaction (POI)
Question

 

Are the Customer ID’s security measures (e.g., encryption, tokenisation, transport layer security) mentioned under Q&A 5476 to be always applied in any payer-presented QR code, regardless of who generates it (e.g., including a non-PSP)?

Background on the question

In accordance with the clarifications provided under Q&A 5476, the Customer ID facilitates the identification of the Payment Services User (PSU) for the purpose of authentication but is not in itself a valid Strong Customer Authentication (SCA) element. Therefore, it cannot be considered as a Personalised Security Credentials (PSC). However, Customer ID is not available to third parties other than the payment service user and the payment service provider, and its disclosure can be used to carry out fraud. Therefore, taking also into account the provisions of the EBA Guidelines on ICT and security risk management, the Customer ID cannot be included in a cleartext in a payer-presented QR-code for the initiation of credit transfers at the Point of Interaction without any security measures (e.g., encryption, tokenisation, transport layer security) ensuring its confidentiality during the QR-code life-cycle.

When reviewing the clarification received under Q&A 5476, the Multi-Stakeholder Group (MSG) on Mobile initiated SEPA (Instant) Credit Transfers (MSCT) debated whether such security measures would apply to any payer-presented QR-code, regardless of who generates the code, or whether the obligation to encrypt/tokenise the CustomerID would only be applicable to entities authorised under PSD2 (Directive (EU) 2015/2366) and subject to the EBA Guidelines on ICT and security risk management, as a minority of the group is of the view that non-regulated entities or consumers should be allowed to generate a QR-code containing the Customer ID in clear-text.

Submission date
Final publishing date
Final answer

Q&A 5476 clarified that Customer ID is not available to third parties other than the payment service user and the payment service provider, and its disclosure can be used to carry out fraud. Therefore, taking also into account Guidelines 3.4.1 and 3.4.4 of the Guidelines on ICT and security risk management, the Customer ID cannot be included in a cleartext in a payer-presented QR-code for the initiation of credit transfers at the point of interaction without any security measures (e.g. encryption, tokenisation, transport layer security) ensuring its confidentiality during the QR-code life-cycle. 

The clarification provided in Q&A 5476 covers the security measures that should be applied when the Customer ID is included in a QR code and do not distinguish between different parties that may generate the QR code. Accordingly, the security measures for the Customer ID should be applied in any payer-presented QR code, regardless of who generates the QR code. 

Status
Final Q&A
Answer prepared by
Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.