EU Payment Services Directive 2 (PSD2)

Improved security for credit card payments

On 14.09.2019, the new technical regulatory standards of the Payment Services Directive (PSD2) came into effect. These have been defined by the European Banking Authority, and all European online merchants are required to provide improved customer authentication for online purchases.

This means that for all European online merchants, all credit card payment transactions must be "strong" and double-check that the buyer is actually the cardholder. This procedure is called 2-Factor Authentication (2FA or two-step confirmation).

The requirements for Strong Customer Authentication (SCA) are intended to increase the security of electronic payments and thus protect against fraud when shopping online. Due to the Payment Services Directive (PSD2), banks will use the 3-D Secure procedure of credit card payments for 2-factor authentication as of September 2019.

What is 3-D Secure?

Starting 14 September 2019, the 3-D Secure procedure will provide better protection against fraud for credit card payments when shopping online using extensive security measures. 3-D Secure uses unique identification features to ensure that the payment is actually confirmed by the legitimate cardholder.

In addition to the card number and the security code, a further feature, for example a password, a fingerprint or Face-ID (face recognition), must be queried in the future. To do this, consumers are redirected directly to your credit card company and release the payment by entering the additional security feature, similar to the 2-factor authentication step used during the login process.

For consumers, 3-D Secure offers a more enjoyable and secure shopping experience. Here's how easy it is to pay by credit card for online purchases:

  • The customer enters his credit card information (card number + security code) with the merchant on the website.
  • The merchant forwards the customer to the credit card company's website and the customer enters the additional security feature there. For example: password, PIN, TAN, or biometric data (fingerprint, face recognition, etc.).
  • Assuming the security checks are passed, the payment is released, and the order is completed.

What does strong customer authentication mean?

With strong authentication, identity is proven by two factors which are divided into categories. The two factors used for strong authentication must always be from different categories.

Currently, the usual categories are:

  • Knowledge: These include passwords or a PIN.
  • Possession: These include, for example, a credit card or a smartphone.
  • Inheritance (Characteristics or Behaviour): These include fingerprints, facial recognition, or movements/patterns of movement.

Example: The procedure often used in the past to confirm the credit card number with the security code on the back of the card does not comply with the requirements of strong authentication. This is because both the credit card number and the security code (CVC) both belong to the Possession category. As a result, in addition to the credit card number, you must also use a password, a PIN or TAN or a fingerprint since these factors are in the other categories (Knowledge or Inheritance).

Two-factor authentication is not a new procedure in itself. What is new is that, due to the new regulation, the use of 2FA is mandatory for all first-time electronic payments.

Are there any exceptions?

Yes, the Payment Services Directive allows some exceptions, such as using lower security requirements for smaller amounts. The credit card company providing authentication decides whether an exception is permitted or not.