Important information for shop operators regarding the new PSD2 directive for strong customer authentication.

Article translated by machine

This text is a machine translation. A revised version is planned.

The following information constitutes legal information which in no way should replace legal advice. The information has not been claimed to be and should not be used as entirely complete and correct.

Does the new PSD2 directive on strong customer authentication affect me as the operator of an online shop?

The new technical regulatory standards of the Payment Services Directive (PSD2) have been defined by the European Payments Council, and all European shop operators are obliged to ensure improved customer authentication for online purchases.

Strong Customer Authentication (SCA) requirements are designed to increase the security of electronic payments and protect against online fraud.

You are affected if you offer payment methods that use a credit card, debit card or giro/EC card. These can also be so-called payment initiation services such as PayPal, Amazon Pay, etc., which have the customer's credit card as their payment basis.
Payments not affected  are those made by direct debit, invoice, prepayment, or bank transfer.

When will the new directive take effect?

The official start date for the new PSD2 Directive is 14 September 2019. However, the Financial Supervisory Authority has granted Bafin a transitional period that has not yet been defined. This suggests that the strong customer authentication system is gradually being introduced.

What do I as an owner of a 1&1 IONOS eShop or a MyWebsite shop have to do now?

It is your duty to ensure that the payment methods you use are PSD2 compliant, support strong customer authentication, and do not charge additional fees for payments.

You do not have to adapt anything in your online shop if you offer the following payment methods to your customers and do not charge additional fees for payments:

  • PayPal
  • Sarna
  • Moll
  • Stripe
  • Square
  • Amazon Pay
  • Skrill
  • Engineer

If you use iPayment, please read the following note:

As a shop operator, however, you should always check the payment methods you have provided. If you offer other payment methods, e.g. to accept credit card payments or online bank transfers (e.g., 2checkout), please contact the provider's support directly to ensure compliance with the strong customer authentication. You may have to make adjustments to the payment gateway here.

You may not charge any additional costs on payment. Under the PSD2 scheme it is no longer allowed to charge additional costs for a payment (surcharges, fees, additional charges). This applies to Visa and Mastercard (with the exception of commercial cards and company cards) as well as standard bank transfers and direct debits. This is independent of the chosen payment method. Please check if you charge extra for a payment method.

What changes for my customers?

If customers use payment methods when shopping on the Internet that require strong customer authentication, they must choose a combination of at least two independent authentication methods. Until now, this was not absolutely necessary. Often only the respective password or PIN was sufficient to make an online payment.

Two-factor authentication is not a new procedure in itself - what is new is that, as part of the new regulation, your usage is mandatory for all electronic payments for the first time. For example, payments via PayPal on smartphones are already partially confirmed today with the deposited fingerprint (smartphone = possession and fingerprint = inheritance).

As part of the payment process, your customers are now requested by the payment provider used (payment initiation service) to perform strong customer authentication. This happens on an interface managed by the payment provider (e.g. website or pop-up, etc.). Since the strong customer authentication applies EU-wide, customers will quickly get used to the new requirements.

How does PSD2/SCA work?

In the context of a purchase, the customer instructs a payment provider (payment initiation service, such as PayPal) to initiate a transfer at the expense of his payment account maintained with another payment institution (e.g. credit institution, bank, savings bank).

The strong customer authentication then uses two factors to check whether the buyer is also the owner of the payment method (e.g. the credit card holder). These factors are divided into three categories. As a general rule, the two factors used must come from different categories.

The usual categories at the moment are:

  • Knowledge: These include passwords or a PIN
  • Possession: For example, a credit card or smartphone
  • Inherence (characteristics or behaviour): This includes fingerprints, facial recognition or movements or patterns of movement.

The categories used and the method depend on the banking institution of the customer. This cannot be influenced by the shop owner.

Example: The procedure often used in the past to secure the credit card number with the security code on the back of the card does not correspond to the requirement of strong authentication. This is because both the credit card number and the check digit belong to the possession category. The consequence is: In addition to the credit card number, a password, a PIN or TAN or a fingerprint must also be used, since these factors are in the category knowledge or inheritance.

Are there any exceptions?

There are several exceptions where strong customer authentication is not required. The most important and likely exceptions are the following:

Purchase amount remains below 30 Euro

The customer's payment institution does not have to require authentication but can do so. If several purchases in a short period of time add up to more than 150 Euro for small amounts, this exception does not apply and the strong customer authentication is necessary again.

In addition, the check must also take place after five purchases without strong authentication, e.g. if a customer makes multiple purchases for small amounts.

Risk classification by payment institution

Due to the payment behaviour over time, the customer's payment institution can estimate the risk potential and thus classify a transaction as risk-free. Then the payment institution can also dispense with strong customer authentication.

Regular payments and subscriptions

If subscriptions are concluded or regular payments are made, the payment institution can also dispense with further strong authentication here as soon as the first payment with strong customer authentication has been made.

Manual classification of the online shop as trustworthy

Payment institutions can offer customers certain online shops and merchants to be trusted. This allows customers to deposit a list of online shops with their payment institution, for which they do not require strong customer authentication. This is not a mandatory rule and not every payment institution will offer a whitelist.