Online retailers don’t need strong customer validation for now

From September 14, 2019, strong customer authentication will be required for online payments. This is intended to make shopping on the Internet more secure. For credit card payments, it is no longer enough to enter only the credit card number and check number. Customers must also provide a transaction number that was previously sent to their mobile phone, for example, and a password.

According to BaFin’ s assessment, the card-issuing payment service providers in Germany are prepared for the new requirements. The situation is different for companies that use credit card payments on the Internet as payment recipients. They still require considerable adjustment. To ensure that consumers and companies can still pay online by credit card, BaFin will temporarily not insist on strong customer authentication for online credit payments. The European Banking Authority had given this possibility to the national supervisors. The level of security that is already customary for Internet payments remains. Civil liability regulations, for example between the credit card holder and the payment service provider, remain unaffected by the measure, so that consumers and other payers on the Internet are not disadvantaged.

The facilitations are temporary. BaFin will determine when they expire after consulting the market participants and coordinating with the EBA and the national European supervisory authorities. In the meantime, BaFin expects all parties involved to adapt their infrastructures as quickly as possible so that they enable strong customer authentication in the cases provided for by law. Concrete migration plans must be drawn up for this purpose. The simplifications relate exclusively to credit card payments on the Internet.

Background to PSD2

PSD 2 obliges payment service providers to carry out strong customer authentication from September 14, 2019 when the payer initiates an electronic payment transaction. The requirements apply throughout the European Union.

Strong customer authentication uses two independent elements. These must come from two of the three categories of knowledge, possession and inherience. Examples include a password (knowledge), a mobile phone (possession), or a personal fingerprint (inherence).

The requirements for strong customer authentication also apply to credit card payments on the Internet. The usual authentication via the entry of credit card number and check digit does not meet the new requirements. On the contrary, two additional elements from the above categories must also be used here. Exceptions to the new requirements are narrowly limited and concern, for example, certain small amounts payments.