2-factor authentication: this is how online shopping is changing

With online banking, you have to confirm your identity now using a second factor. Because the grace period for online trading expired at the end of the year, the same now applies to paying for online purchases. We also provide information on the Ecodesign Directive 2021 and the new energy labels.

The Second European Payment Services Directive, often abbreviated as PSD2, has been in effect for online banking since autumn 2019. You don’t have to authenticate yourself every time after logging in, but at the latest after 90 days and for certain processes. And it is precisely this so-called strong authentication that has been in effect for purchases on the Internet since the beginning of January.

Originally, the PSD2 (“Payment Services Directive 2”) was supposed to apply across the EU for all areas from the start, but online retailers in this country received a 15-month grace period from the Federal Financial Supervisory Authority (BaFin) as the responsible supervisory authority. During this time, when paying online, it was still sufficient for customers to enter their credit card number and, if necessary, the three-digit test room. This transition period expired on January 1st, so the strong customer authentication (“Strong Customer Authentication”, SCA for short) also applies to many payment methods on the Internet and must be integrated by all online retailers in the purchasing process of their shops.

Strong customer authentication now also for online payments

For online payment by credit card, the card must be registered and activated at the bank for the 3DS security function.


For online payment by credit card, the card must be registered and activated at the bank for the 3DS security function.

The two-factor authentication of the EU Payment Services Directive requires consumers to prove their identity using at least two of three possible and mutually independent security factors – knowledge, possession and inherence (biometrics). Knowledge includes, for example, password and PIN, possession of a mobile phone or credit or debit card in connection with a TAN generator, the inherence can be verified by face recognition or fingerprint.

The new obligation applies to payments with EC or cash cards as well as to the payment service providers PayPal and Klarna. Payments by direct debit are excluded because these are initiated by the dealer and not the customer. When paying by invoice, it depends on how the customer pays the amount later: by transfer form as before or by online banking. In this case, the PSD2 is already used. Online payment with the mobile phone remains as easy as before, because Apple and Google have already implemented two-factor authentication in the payment process.

For the implementation of strong authentication with the credit card payment option, which is often chosen, a distinction must be made between the issuers and the providers: The cards are issued by the financial institutions, i.e. the banks and savings banks. Mastercard, Visa and American Express act as providers. Although the banks are responsible for the SCA process, in practice they use the providers’ 3D secure process (“3DS”). How the actual authentication process works in practice is again determined by the financial institutions: via SMS-TAN, app on the smartphone, TAN generator, photo TAN or online banking. You can find out which procedure your bank uses on their website. In order to be able to pay with the credit card at European online retailers in the future, you must register the 3DS function “Visa Secure” or “Mastercard Identity Check” with your bank.

There are also a few exceptions to the new PSD2 directive: amounts up to 30 euros, recurring payments such as subscriptions and “trustworthy dealers” that the customer can deposit with his financial institution.


How to spot fraudulent online shops

Bank must grant third party access to customer accounts

Since the Second European Payment Services Directive came into force in September 2019, financial institutions have also had to give so-called third-party payment service providers access to their customers’ bank accounts – provided that they expressly consent. These can be services for calling up account information, checking account coverage or initiating payments. For example, you can use the payment initiation services to pay for online purchases without having to log into your bank’s online banking every time.

While access to account information and coverage checks are granted to third-party providers for a certain period of time, a payment initiation service requires your renewed approval for each individual payment. You give your basic consent for such third-party service providers at your financial institution after logging in, usually in the “personal area”; the same applies to the revocation. If necessary, check with the bank.


Related Articles

Back to top button