From September 14, 2019, strong customer authentication is required for onlinepayments. This is intended to make online shopping safer. For credit card payments, it is no longer enough to enter only the credit card number and check number. Customers must also provide a transaction number that was previously sent to their mobile phone, for example, and a password.

According to BaFin, card issuing payment service providers in Germany are prepared for the new requirements. This is different for companies that use credit card payments on the Internet as a payee. They still require considerable adjustment. In order for consumers and businesses to continue to pay online by credit card, BaFin will temporarily not insist on strong customer authentication for online credit payments. The European Banking Authority had given this possibility to the national supervisors. The level of security that is already customary for Internet payments remains. Civil liability rules, for example between the credit card holder and the payment service provider, remain unaffected by the measure, so that consumers and other payers on the Internet do not suffer any disadvantage.

The facilitations are temporary. When they expire will be determined by BaFin after consulting market participants and coordinating with the EBA and the national European supervisory authorities. In the meantime, BaFinexpects all stakeholders to adapt their infrastructures as quickly as possible to enable strong customer authentication in the cases provided for by law. Concrete migration plans must be drawn up for this purpose. The facilitations relate exclusively to credit card payments on the Internet.

Background to PSD2

PSD 2 requires payment service providers to perform Strong Customer Authentication from September 14, 2019, when the payer triggers an electronic payment transaction. The requirements apply throughout the European Union.

Strong customer authentication uses two independent elements. These must come from two of the three categories of knowledge, possession and inherience. Examples include a password (knowledge), a mobile phone (possession), or a personal fingerprint (inherence).

The strong customer authentication requirements also apply to credit card payments on the Internet. The usual authentication via the entry of credit card number and check digit does not meet the new requirements. On the contrary, two additional elements from the above categories must also be used here. Exceptions to the new requirements are narrowly limited and concern, for example, certain small amounts payments.