The European Banking Authority commented on “Strong Authentication” (“SCA”) in transactions made as part of a digital staged wallet
Digital staged wallet (staged) is a PSP solution that allows customers to pay for purchases without showing a physical credit or debit card. Customers upload their card details to the digital wallet application of their choice and pay by bringing their smartphone or smartwatch closer to a compatible terminal or by selecting one of the save payment methods when making an online purchase.
Apple Pay and PayPal are examples of digital wallets. In a staged wallet – as opposed to a “pass through” wallet, a funding stage and a payment stage are used. In the former, the wallet „acquires” funds from the buyer, and in the latter, it delivers them to the seller. Therefore the wallet act as an intermediary. The card issuer or the network does not even need to know what type of card has been used, or any other transaction information that is disclosed in the regular digital „wallet” operation. Staged wallets include PayPal, Google Wallet, and Square Cash.
In question 2018_4133 to the EBA, the EBA was asked to clarify whether one SCA applied to the payer is sufficient for digital staged wallet transactions. The question suggested that the wallet funding stage could be considered already initiated by the wallet operator acting as merchant and as such not require another customer SCA. The next stage, i.e. the transfer of funds to the seller (ultimate merchant), would take place without the customer’s participation.
EBA replied that as a rule, payments made on the basis of a standing agreement between the customer and the merchant authorizing the merchant to initiate further payments in connection with the supply of goods or services may be considered as transactions initiated by the payee, provided that these payments are not dependent on the specific action of the payer to initiate payment by the recipient.
In a „staged” wallet, if the customer has registered a payment card as a funding source, the SCA must be applied to payer initiated transactions in accordance with Art. 97 sec. 1b of PSD2, unless an exception from Regulation 2018/389 applies.
In this particular case, and where the funding transaction is initiated by the wallet provider on the basis of a (standing) agreement between the customer and the wallet provider, the funding transaction can be considered as a payee initiated transaction, provided that some specific criteria are met. The SCA should therefore only be used when adding a payment instrument to the wallet – in line with Art. 97 sec. 1 lit. c) of the PSD2 directive.