What does “strong customer authentication” mean?

Strong customer authentication means that internet users must apply at least two security features to authenticate their identity. These features must be from two of the three categories of knowledge, possession and inherence.

An example of the knowledge category is a password. A mobile phone – or, to be precise, a SIM card – is an example of the possession category. You can prove that you are the owner of the SIM card by entering a transaction number (TAN) that has been sent to your mobile phone. The inherence category involves personal or physical features, such as your fingerprint.

Rules do not apply to every payment

These rules only apply to payment services and payment accounts. The latter include, for example, standard current accounts, but not savings accounts or securities accounts. Banks offering both current accounts and securities accounts or savings accounts are nevertheless likely to require strong customer authentication across the board.

This includes making transfers via online banking as well as paying by credit card or using online payment services. When you use your credit card for online payments, it is not sufficient to enter only the data visible on the card, including the card verification value (CVV) on the back. Customers are also asked, for example, to enter a secret password and provide a transaction number (TAN) sent to their mobile phone.

For online direct debit payments, however, which are a very common means of payment, strong customer authentication is not required, as the payment is initiated by the retailer.

Exemptions from the strong customer authentication requirement

Not every activity you carry out online requires strong customer authentication.

This is true, for example, if you just intend to check the account balance on your payment account or the transactions executed in the last 90 days. In these cases, it is sufficient to carry out strong customer authentication every 180 days. Payment services providers may also forego strong customer authentication if they consider the risk associated with the payment to be low based on an automated, real-time risk analysis. In order to prevent misuse, however, there is a statutory cap in this regard. Payment service providers may make use of this exemption only if they can limit misappropriated payments to a percentage below this threshold.

What to keep in mind when you are online

When you are pursuing online activities, you should take care to protect your data and follow these rules:

• Never give away your confidential login data when you are prompted to do so in an email or a phone call. No bank or payment service provider would ask you to do that.
• Do not open attachments, links or downloads in emails from unfamiliar senders.
• Be careful when scanning QR codes and opening the links they carry.
• Verify the details shown in your authentication tool (pushTAN app on your smartphone, for example). If in doubt, cancel the transaction you may be trying to carry out.
• Only download files from legitimate sources.
• If you doubt the authenticity of a letter, email or phone call, contact your bank without delay.#
• Be careful with your data when using the internet and social media.
• Keep your operating system, internet browser and virus scanner up to date.
• Should you identify unauthorised online payments from your account, alert your bank immediately.