The new EU ‘Delegated Regulation’ on strong customer authentication enters into force on Saturday (14 September 2019). You have to identify yourself in two different ways to complete an online purchase or bank transaction.
The new EU’s Payment Services Directive “PSD2” comes into force on 14 September to make online banking and electronic payment safer in the European Economic Area, which includes EU countries and also Iceland, Liechtenstein and Norway.
Henceforth, you will have to identify yourself in two different ways to complete an online purchase or bank transaction. The two-factor authentication basically means having a customer to identify themselves with two different elements of identity from the categories of “knowledge”, “possession” or “inherence”:
- “Knowledge” (something only the payer knows): e.g. password or PIN
- “Possession” (something only the payer possesses): e.g. token or Smartphone
- “Inherence” (something that identifies the payer): e.g. fingerprints
To make a payment by online bank transfer, in addition to the user ID (the account number and the password), the bank customer must enter henceforth a TAN immediately generated for the transaction by SMS, bank app or TAN generator. Alternatively, the fingerprint on the Smartphone can be used. The old paper TAN lists (iTAN) issued by German banks has been abolished and replaced with this two-factor authentication.
Although the two-factor authentication for online bank transfers is already the norm. What is new, however, is that from now customers will have to identify themselves with the two-factor authentication when they log in on their bank’s online platform. “If you want to log into your bank account online in the future, you will not only need username and password or account number and PIN, but you will also have to confirm your identity with a security procedure in a further step,” said Postbank.
Moreover, for payment by credit card for an online purchase, the entry of the credit card number, expiration date and the three-digit verification (security) number, will no longer be sufficient for authentication. A further authentication via a code (TAN) that is generated by a bank app or comes as an SMS on the Smartphone (mobile TAN or photo TAN) will be required. This means users of credit cards must also be registered for online banking.
The new regulation excludes the following cases from the two-factor authentication obligation due to the low level of misuse:
- Contactless payments at point of sale up to 50 EUR
- Unattended terminals for transport fees and parking fees, such as tolls
- Beneficiaries classified as trustworthy by the payer
- Recurring payment transactions
- Transfers between accounts held by the same person
- Low-value transactions up to 30 EUR
- Payment methods with a high level of security, to which only companies are admitted
- Transaction risk analysis of the payment service provider results in low risk
- Retrieval of account balance and turnover via online banking
Further exemptions may apply, depending on the risks involved, the value of transactions and the channels used for the payment. Please contact your bank for more details.