Strong customer authentication will be a requirement for online payments from 14 September 2019. This is intended to make internet shopping more secure. For credit card payments, it will no longer be sufficient to enter the credit card number and card verification value (CVV). Customers will have to complete additional steps, such as providing a transaction number (TAN) sent to their mobile telephone in addition to entering a password.

In BaFin’s estimation, card issuing payment service providers in Germany are prepared for the new requirements. The situation is different, however, for companies that make use of online credit card payments as recipients. In this area, substantial adjustments are still needed to meet the new requirements. To allow consumers and companies to continue using credit cards for online payments, BaFin will temporarily refrain from applying the requirements for strong customer authentication for online credit card payments. This possibility was granted to the national supervisory authorities by the European Banking Authority (EBA). The security level currently in place for internet payments will remain. Provisions under civil law with regard to liability between, for example, the credit card holder and the payment service provider are unaffected by this measure, meaning it will bring no disadvantages for consumers and other online payers.

The simplifications are temporary. BaFin will determine when they expire following consultation with market participants and in coordination with the EBA and the European national supervisory authorities. In the meantime, BaFin expects that all those affected adjust their infrastructures as soon as possible so that they are able to facilitate strong customer authentication where this is required by law. Concrete migration plans should be developed for this purpose. The simplifications only apply to credit card payments online.

Background to the PSD2

Under the PSD2, payment service providers will be required, from 14 September 2019, to apply strong customer authentication where the payer initiates an electronic payment. The requirement applies throughout the European Union.

Strong customer authentication makes use of two independent elements. These must be derived from two of the following three categories: knowledge, possession and inherence. Examples of these categories include a password (knowledge), a mobile telephone (possession) or a finger print (inherence).

The requirements for strong customer authentication also apply to credit card payments made online. The current standard method of authentication, which involves entering the credit card number and CVV, does not meet the new requirements. Two elements taken from the categories outlined above must also be used for credit card payments. Exceptions to the new requirements are very restricted and apply, for example, to certain low-value payments.

(Further information on strong customer authentication and on exceptions to the requirements can be found on the BaFin website at https://www.bafin.de/SharedDocs/Veroeffentlichungen/DE/Fachartikel/2018/fa_bj_1806_Starke_Kundenauthentifizierung.html – only available in German).