PSD2: Impact of Dynamic Linking with Consumer Presented QR Codes
Payment Services Directive 2 (PSD2) has been in force since January 12, 2016. The key point of PSD2 is to protect consumers in remote or online transactions. Additionally, from September 14, 2019, the Regulatory Technical Standards (RTS) will be mandated. Along with the most discussed topics like Strong Customer Authentication (SCA), Third Party Providers (TPPs) and Common and Secure Communication (CSC).
Dynamic Linking is an additional requirement to the SCA introduced in the RTS to reduce risk of fraud. Dynamic Linking is where an authentication code is generated where elements of the transaction are dynamically linked to the amount and a payee specified by the payer when a transaction is a initiated. According to RTS, Dynamic Linking has the following requirements:
- The information regarding the amount of the payment transaction, and identity of the payee, is made known to the payer.
- An authentication code has to be generated which is specific to the payment amount and identity of the payee. This is agreed by the payer when the payment is initiated.
- Payment service providers (PSPs) shall accept authentication codes which correspond to the original amount of the payment transaction, and the identity of the payee, which is agreed to by the payer.
- Any changes to the payment amount or the identity of the payee should result in invalidation of the authentication code which was generated.
A Quick Response (QR) code is a type of matrix barcode used for payments and categorized as a Non-NFC based proximity payment. Typically, there are two implementations of a QR code used for payment initiation; ‘Consumer Presented’ and ‘Merchant Presented’. For this blog, we will discuss the Consumer Presented scenario, and will discuss Merchant Presented in a future blog.
EMVCo describes consumer presented QR in their EMV QR Code specification as follows:
Consumers can purchase using QR codes which are generated within their mobile application by selecting the QR option for payment. This QR code will use the credentials associated with the consumers EMV card, which was previously provisioned on their mobile device. Once the QR code has been generated and scanned by the merchant, the transaction is then complete.
EMVCo also clarifies that these transactions are always authorized online and the aforementioned scanning of the QR is a one-way transfer of data from mobile device to Point of Interaction device. Consequently the QR code does not contain any data from the Point of Interaction device.
Do we have to implement Dynamic linking with Consumer presented QR?
Firstly when considering the Authentication requirements. Article 97(1 & 2) of PSD2 states that:
Member States shall ensure that a payment service provider applies strong customer authentication where the payer:
(a) accesses its payment account online;
(b) initiates an electronic payment transaction;
(c) carries out any action through a remote channel which may imply a risk of payment fraud or other abuses.
“With regard to the initiation of electronic payment transactions as referred to in point (b) of paragraph 1, Member States shall ensure that, for electronic remote payment transactions, payment service providers apply strong customer authentication that includes elements which dynamically link the transaction to a specific amount and a specific payee.”
Furthermore, the European Banking Authority (EBA) stated the following in response to a similar question regarding the application of SCA with Dynamic Linking:
“Our view is that the RTS Article 2 requirements only apply to the initiation of electronic remote payments (including PIS) in accordance with the scope of PSD2 Article 97(2). RTS Article 2 should be read in conjunction with EBA rationale points 17 and 19, In other words the only payment transactions which require the application of SCA with dynamic linking are remote credit transfers (including those initiated via a PISP and batch credit transfers).”
These statements make clear distinctions between ‘electronic payments’ and ‘electronic remote payments’. Article 4(5) of the PSD2 defines ‘payment transaction’ as:
“an act, initiated by the payer or on his behalf or by the payee, of placing, transferring or withdrawing funds, irrespective of any underlying obligations between the payer and the payee”. Article 4(6) defines ‘electronic remote payments’ as: “a payment transaction initiated via internet or through a device that can be used for distance communication”.
As per the definitions of ‘electronic payment’ and ‘electronic remote payment’, and specification from EMVCo for Consumer presented QR; we determine that the payment is initiated by the merchant’s device after scanning the consumer presented QR code and is not initiated by the consumer’s device. Therefore, this transaction cannot be defined as an electronic remote payment, and therefore the Dynamic Linking requirements as stated in Article 97(2) of PSD2 does not apply.
Furthermore, we define a QR-Code in the context of payments as a Non-NFC based proximity payment. The EBA have advised that:
“The payments industry has invested significantly in developing secure authentication of proximity payments, based on EMV standards that have delivered a very secure environment underpinning proximity card payments .The key objective is to extend this approach into less secure, more fraud-prone channels. We see no obvious reason that that new authentication approaches would be needed in relation to proximity card payments or evidence identifying any deficiencies that need to be addressed by legislation.”
From multiple point of views it can be observed that the consumer presented QR code does not need to implement dynamic linking requirements consequently due to the fact that: firstly, consumer presented QR code is not initiating the payment transaction which classifies this transaction as a non-electronic remote payment transaction. Secondly, as EBA also states that for non-NFC based proximity transactions there is no need of new methods including dynamic linking as these type of transactions are already secure.
As the payment industry evolves, the processing rules are becoming increasingly complex, especially with the introduction of PSD2. Typically, our industry’s rules have been built around the traditional card rails; but the introduction of various proximity payment methods, both NFC and non-NFC related, coupled with the inclusion of online processing and digital wallets, have meant that the definitions of initiation, proximity, remote, and online need to be urgently re-clarified. We will address these clarifications further in an upcoming blog.
For more information on PSD2 and Open Banking please contact one of our experts.