David Sulc
Blog GitHub LinkedIn Books

PSD2: Dynamic Linking of Pre-Generated Authentication Code

Back to all posts

Posted on November 5, 2025
payments rules and regulations

PSD2 requires remote payments to have their authentication code dynamically linked to the payment such that any change in amount or merchant would invalidate the authentication code (source):

  1. Where payment service providers apply strong customer authentication in accordance with Article 97(2) of Directive (EU) 2015/2366, in addition to the requirements of Article 4 of this Regulation, they shall also adopt security measures that meet each of the following requirements:
    1. the payer is made aware of the amount of the payment transaction and of the payee;
    2. the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;
    3. the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer;
    4. any change to the amount or the payee results in the invalidation of the authentication code generated.

In the case of mobile payments, SCA is often implemented as a requirement to unlock payment functionality, whereby possession of the mobile device consistutes possession and biometrics (Face Id, finger scan) or PIN provide the second authentication factor.

Once unlocked, the mobile device will have access to a "sufficiently unique" value (e.g., a long sequence of characters) that will be sent to the payment after the customer has approved the payment. This unique value (in effect a payment token) will be verified by the payment scheme before the payment is allowed to proceed.

The payment token is typically generated prior to the payment. Does this satisfy the dynamic linking requirements? In particular,

the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;

seems to imply that the authentication code is generated specifically for a particular payment, and therefore cannot be pre-generated. So would it be permissible to use the payment token as the authentication code?

The answer to that is buried in the EBA's Q&A 2020_5366, viz.:

In relation to the above, provided that the above-mentioned legal requirements are being met, the authentication code could be generated and dynamically linked to the amount of the payment transaction and the payee at any stage before the final authorisation of the payment transaction by the payment services user.