Authentication Methods

ASPSP applies an available exemption

This version is:

This is the latest version Published 3 months ago 28 Jun 2024

SCA and the application of exemptions are solely within the domain of the ASPSP. When the ASPSP determines an exemption is applicable to a payment order, they may choose not to apply SCA.

Other pages in this section

User Journey

Main content image

SCA-RTS includes a number of available exemptions which permit an ASPSP not to apply SCA based on the availability of certain criteria, which consider factors such the amount, the beneficiary and the risk analysis of the transaction.

When the ASPSP determines that an available exemption is applicable to the payment order submitted via the PISP, they may choose not to apply SCA. The SCA and the application of exemptions are solely within the domain of the ASPSP.

Wireframes

To demonstrate an app based redirection part of the journey we have used one variation of PIS journey (Single Domestic Payments – a/c selection @ PISP) as an example, where the ASPSP receives all the details of the payment order from the PISP.

This redirection flow applies to other variations of PIS journeys covered in detail under section Payment Initiation Services (PIS).

This content is best viewed on a desktop browser.

1

CEG Checklist Requirements 1
PISPs must allow the PSU to either enter the account details or select the account with their ASPSP

2

CEG Checklist Requirements 2
PISPs must communicate information clearly to the PSU when obtaining consent in order to initiate the payment order

4

CEG Checklist Requirements 4
If the PSU has an ASPSP app installed on the same device the redirection must invoke the ASPSP app for authentication purposes only without introducing any additional screens and offer the same authentication method(s) available to the PSU when authenticating in their ASPSP’s direct channels.

5

CEG Checklist Requirements 5
ASPSPs must display as minimum the Payment Amount, Currency and the Payee Account Name on to make the PSU aware of these details (unless an SCA exemption is being applied). These details must be displayed as part of the authentication journey on at least one of the following screens without introducing additional confirmation screens (unless supplementary information is required, refer to section Single Domestic Payments – Supplementary info): 1. Authentication screen; 2. ASPSP to PISP outbound redirection screen.

6

CEG Checklist Requirements 6
ASPSPs app based authentication must have no more than the number of steps that the PSU would experience when directly accessing the ASPSP mobile app (biometric, passcode, credentials).

10

CEG Checklist Requirements 10
PSU must be redirected straight back to the PISP website/app on the same device where PISP displays confirmation of successful initiation.

CEG Checklist Requirements & Customer Experience Considerations
CEG Checklist Reference

1

AISPs must initially ask the PSU to identify the ASPSP so that the consent request can be constructed in line with the ASPSP’s data clusters.

24

2

PISPs must communicate information clearly to the PSU when obtaining consent in order to initiate the payment order.

8

PISPs should provide messaging on their inbound redirection screen to inform PSU that they will be taken to their ASPSP to authenticate to complete the payment. PISP should display in the Redirection screen the Payment Amount, Currency and the Payee Account Name to make the PSU aware of these details.

4

If the PSU has an ASPSP app installed on the same device the redirection must invoke the ASPSP app for authentication purposes only without introducing any additional screens and offer the same authentication method(s) available to the PSU when authenticating in their ASPSP’s direct channels.

5a

5

ASPSPs must display as minimum the Payment Amount, Currency and the Payee Account Name on to make the PSU aware of these details (unless an SCA exemption is being applied). These details must be displayed as part of the authentication journey on at least one of the following screens without introducing additional confirmation screens (unless supplementary information is required, refer to section Single Domestic Payments – Supplementary info):

  1. Authentication screen;
  2. ASPSP to PISP outbound redirection screen.

28

6

ASPSPs app based authentication must have no more than the number of steps that the PSU would experience when directly accessing the ASPSP mobile app (biometric, passcode, credentials).

1

The ASPSP may to apply an available SCA exemption.

ASPSPs should have outbound redirection  screen which indicates the status of the request and informs the PSU that they will be automatically taken back to the PISP.

ASPSPs should inform the PSU on the outbound redirection screen that their session with the ASPSP is closed.

10

PSU must be redirected straight back to the PISP website/app on the same device where PISP displays confirmation of successful initiation.

26

What the research says

 

Click for customer research