You cannot determine the Personally Identifiable Information classification of data (per GDPR) by looking at the data alone. In fact, non-PII data can become PII when provided to third parties which naturally has significant compliance consequences.
We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
The regulatory language around dynamic linking of authentication codes in remote payments seems to imply that the authentication code must be generated in response to payment creation, but a Q&A clarifies that the authentication code may be created at any stage before the final authorization of the payment transaction by the user.
Whenever a payment is initiated via consumer scan, such as a mobile app scanning a QR code, the payment is considered "remote" according to PSD2 even when the consumer is physically at the merchant's location which is considered a "card present" context for card payments. As a result, certain regulatory considerations come into play, such as dynamic linkin of authorization codes.
1