PSD2 requires Strong Customer Authentication (SCA) to be performed each time the PSU accesses its online payment account, either directly or using the services of an AISP. The frequency of authentication can be reduced if an ASPSP applies the exemption relevant to account information access.
Other pages in this section Themes Identified from Consumer & SME Research CX Guidelines Consultation – Research Data Deep Linking for App-to-App Redirection Payment Initiation Services (PIS) Parameters & Considerations Card-Specific Permissions & Data Clusters for AIS Journeys TPP Permissions & CASS Considerations Contingent Reimbursement Model Refund Payment Fulfillment Information flow – Payment Status Information flow Payment Status – SO Transaction Risk Indicators (TRI) definitions and guidance Common Terminology – Preferred Terms and Language Common Error Scenarios – Preferred Status and Reasons 90-Days Re-authentication (delegated SCA) Examples of VRP use cases Read/Write API Specification – Standard Error Codes
This content is best viewed on a desktop browser. 1 CEG Checklist 1AISPs must alert the PSU when authentication needs to be performed to refresh AISP access. Note: AISP may notify the PSU (in session or outside e.g via SMS or push notification) in advance and the advance period can be left in the AISPs competitive space. 2 CX Considerations 2AISPs should allow the PSU to select all the payment accounts across ASPSPs that may or may not be due for access refresh. 3 CX Checklist 3AISPs should make it clear that the PSU is being asked to authenticate to extend the AISP access to their account data and that no other element of the consent (e.g. the data permissions required, the purpose for which it will be used etc.) will change. If the customer-facing entity is acting on behalf of an AISP as its agent, the PSU must be made aware that the agent is acting on behalf of the AISP. 4 CEG Considerations 4AISPs must also allow the PSU to confirm their request after selecting the accounts. 5 CEG Checklist 5AISPs must also allow the PSU to confirm their request after selecting the accounts. 6 CEG Checklist 6AISPs must ask the PSU to undergo SCA with the AISP provided credentials as agreed with the ASPSPs. 7 CEG Checklist 7AISPs must provide confirmation to the PSU that authentication has been successfully completed and access has been refreshed. Note: AISP may do an a-synchronised call to each ASPSP after the PSU has confirmed their request and successfully authenticated to continue access. The AISP should notify the PSU with an appropriate message that access to the respective account(s) will be refreshed with their ASPSP(s). Select to scroll left Select to scroll right
CEG Checklist Requirements & CX Considerations 1 AISPs must alert the PSU when authentication needs to be performed to refresh AISP access. Note: AISP may notify the PSU (in session or outside e.g via SMS or push notification) in advance and the advance period can be left in the AISPs competitive space. 16 2 AISPs should allow the PSU to select all the payment accounts across ASPSPs that may or may not be due for access refresh. 3 AISPs must display the company’s trading name/brand name (i.e. the Client Name) to the PSU during the setup and revocation of consent. If the AISP is only trading with its registered company name then it must display that name to the PSU. If the AISP is not the customer-facing entity and there is an Agent who is acting on behalf of the AISP, then the Agent must make the PSU aware that they are acting as an agent on behalf of the AISP and must also, display the AISP’s full trading name/brand name or registered company name whichever is the customer-facing brand of the AISP. AISPs must also, populate the Agent company name in the ‘On behalf of’ field of the software statement, in order to inform the ASPSP about the agency relationship and allow the ASPSP to be able to display this information to the PSU. Only in instances where there is an Agent acting on behalf of the AISP, the ‘On Behalf of’ name must be displayed to the PSU. AISPs must not populate the ‘ On behalf of’ field with the details of their TSP. The customer-facing entity must provide PSUs with sufficient information to enable them to make an informed decision. For example, detail the purpose for which the data will be used (including whether any other parties will have access to the information), the period over which it has been requested and when the consent for the account information will expire (consent could be ongoing or one-off). For examples of what names should be displayed, please refer to AIS Consent Dashboard & Revocation, Examples. 8 4 AISPs should make it clear that the PSU is being asked to authenticate to extend the AISP access to their account data and that no other element of the consent (e.g. the data permissions required, the purpose for which it will be used etc.) will change. 5 AISPs must also allow the PSU to confirm their request after selecting the accounts. 17a 6 AISPs must ask the PSU to undergo SCA with the AISP provided credentials as agreed with the ASPSPs. 17b 7 AISPs must provide confirmation to the PSU that authentication has been successfully completed and access has been refreshed. Note: AISP may do an a-synchronised call to each ASPSP after the PSU has confirmed their request and successfully authenticated to continue access. The AISP should notify the PSU with an appropriate message that access to the respective account(s) will be refreshed with their ASPSP(s). 18a
Common Error Scenarios – Preferred Status and Reasons Previous Related articles Please select API specifications Account Access Consents Security & Access Control Consent Re-authentication (AIS) Consent Re-authentication (General) Examples of VRP use cases Next