PSD2 directive on strong customer authentication: important information for shop operators
Please use the “Print” function at the bottom of the page to create a PDF.
Please note: The following information is not intended to replace legal advice. No claim is made for completeness and correctness!
Does the new PSD2 directive on strong customer authentication affect me as a shop operator?
The new technical regulatory standards of the Payment Service Directive 2 (PSD2) have been defined by the European Banking Authority, and all European shop operators are obliged to ensure improved customer authentication for online purchases.
The requirements for strong customer authentication (SCA) are intended to increase the security of electronic payments and thus protect against fraud when shopping online.
You are affected if you offer payment methods that use a credit card, debit card, or giro/EC card. These can also be so-called payment initiation services such as PayPal, Amazon Pay, etc., which have stored the customer's payment details.
Payments by direct debit, invoice, prepayment, and bank transfer are not affected.
When will the new directive come into force?
The official start date for the new PSD2 directive is September 14, 2019, although the financial supervisory authority Bafin has granted an undefined transition period for Germany. This suggests that there will be a gradual switch to strong customer authentication.
What do I have to do now as the shop operator of a IONOS Online Shop or a MyWebsite shop?
It is your duty to ensure that the payment methods you use are PSD2 compliant, support strong customer authentication, and do not charge any additional fees for payments.
Youdo not need tochange anything in your online shop if you offer the following payment methods to your customers and do not charge any additional fees for payments:
- PayPal
- Mollie
- Stripe
- Square
- Amazon Pay
- Skrill
- Ingenico
If you offer other payment methods, e.g. to accept credit card payments or online bank transfers (e.g. authorize.net, 2checkout), please contact the respective provider's support directly to ensure compliance with strong customer authentication. You may need to make adjustments to the payment gateway.
You may not charge any additional costs for payment. As part of the PSD2 regulation, it is no longer permitted to charge additional costs for a payment (surcharges, surcharges, additional fees). This applies to Visa and Mastercard (except for commercial cards and corporate cards) as well as standard bank transfer and direct debit. This is independent of the selected payment method. Please check whether you charge additional costs for a payment method.
What will change for my customers?
If customers use payment methods when shopping online that require strong customer authentication, you must choose a combination of at least two independent authentication types when shopping online from the time strong customer authentication comes into effect. Previously, this was not mandatory; often only the respective password or PIN was sufficient to make an online payment.
Two-factor authentication is not a new procedure in itself - what is new is that its use is mandatory for all electronic payments for the first time as part of the new regulation. For example, some PayPal payments are already confirmed via smartphone with the stored fingerprint (smartphone = possession and fingerprint = inherence).
As part of the payment process, your customers are now requested by the payment provider used (payment initiation service) to carry out strong customer authentication. This takes place on an interface managed by the payment provider (e.g. website or pop-up, etc.). As strong customer authentication applies throughout the EU, customers will quickly get used to the new requirements.
How does PSD2/SCA work?
As part of a purchase, the customer instructs a payment provider (payment initiation service, e.g. PayPal) to initiate a transfer from their payment account held with another payment institution (e.g. credit institution, bank, savings bank).
Strong customer authentication then uses two factors to check whether the purchaser is also authorized to use the payment method (e.g. the credit card holder). These factors are divided into three categories. The basic rule is that the two factors used must come from different categories.
The usual categories presented are
- Knowledge: This includes passwords or a PIN
- Possession: For example, a credit card or a smartphone
- Inherence (characteristics or behaviour): This includes fingerprints, facial recognition, or movements
The categories used and the method depend on the customer's bank. This cannot be influenced by the shop operator.
An example: The method often used in the past to secure the credit card number with the security code on the back of the card does not fulfil the requirement of strong authentication. This is because both the credit card number and the security code belong to the possession category. As a result, a password, PIN, TAN, or fingerprint must now be used in addition to the credit card number, as these factors are categorised as knowledge or inherence.
Are there any exceptions?
There are various exceptions where strong customer authentication can be ignored. The most important and most likely exceptions are the following:
Purchase amount remains below 30 euros
The customer's payment institution does not have to require authentication, but can do so. If several purchases for small amounts totalling over 150 euros are made in a short period of time, this exception does not apply and strong customer authentication is required again.
In addition, the check must also take place after five purchases without strong authentication, e.g. if a customer makes multiple purchases for small amounts.
Risk classification by payment institution
Based on payment behaviour over time, the customer's payment institution can assess the risk potential and thus classify a transaction as risk-free. The payment institution can then also dispense with strong customer authentication.
Regular payments and subscriptions
If subscriptions are taken out or regular payments are made, the payment institution can also dispense with further strong authentication as soon as the first payment with strong customer authentication has been made.
Manual categorisation of the online shop as trustworthy
Payment institutions can offer customers the option of categorising certain online shops and merchants as trustworthy. For example, the customer can have a list of online shops deposited with their payment institution for which they do not require strong customer authentication. This is not a mandatory regulation and not every payment institution will offer such a list.
Content
- Does the new PSD2 directive on strong customer authentication affect me as a shop operator?
- When will the new directive come into force?
- What do I have to do now as the shop operator of a IONOS Online Shop or a MyWebsite shop?
- What will change for my customers?
- How does PSD2/SCA work?
- Are there any exceptions?
- To top