NFC Retries Don't Need Re-Auth Under PSD2

Understanding session-based authentication in contactless payments

Should users re-authenticate every time an NFC payment fails due to a quick tap? Most assume PSD2 requires it, but the regulations tell a different story. This article breaks down what Strong Customer Authentication actually means for proximity payments, drawing parallels to chip-and-PIN cards and explaining why a single unlock can legitimately cover multiple tap attempts. If you're building mobile payment experiences, understanding this distinction between authentication and authorization could transform your UX without compromising compliance.

PSD2: Dynamic Linking of Pre-Generated Authentication Code

The regulatory language around dynamic linking of authentication codes in remote payments seems to imply that the authentication code must be generated in response to payment creation, but a Q&A clarifies that the authentication code may be created at any stage before the final authorization of the payment transaction by the user.

PSD2: POS Consumer Scans are Still Remote

Whenever a payment is initiated via consumer scan, such as a mobile app scanning a QR code, the payment is considered "remote" according to PSD2 even when the consumer is physically at the merchant's location which is considered a "card present" context for card payments. As a result, certain regulatory considerations come into play, such as dynamic linkin of authorization codes.