13. September 2019 | Background

Secure Customer Authentication: What changes will the new EU directive mean for e-shoppers?

Secure Customer Authentication (SCA) comes into force on 14 September 2019 as part of the second Payment Services Directive (PSD2). The EU Directive not only tightens up the steps the user has to take to log into online banking, it also brings in stricter conditions to apply to online payment transactions in future.

Why is this necessary?

Worldwide online business will be worth more than one billion dollars by 2022. With that goes an increasing risk of fraud with online payments. According to the latest estimates by the European Central Bank, credit card fraud alone has already reached a total of EUR 1.3 billion. Increased security measures are intended to make online payment transactions more secure.

What does this mean for online shopping?

Up to now, all that was required to make a payment in most online shops was to enter the credit card number, the expiry date and the three-digit card security code. In future, a multi-stage series of questions will make the payment process more secure. This strong authentication therefore requires that at least two of the three factors, possession, knowledge and biometrics, must be fulfilled.

It works in an app in which users register with their personal data. The users generate a transaction authentication number, a “TAN”, (possession) by means of a password (knowledge), fingerprint or facial recognition by the front camera (biometrics). Alternatively, some credit institutions also send an SMS with a mobile TAN or rely on the “ChipTAN”. The user then receives a one-time TAN by means of a TAN generator issued by the bank. This involves merely inserting the user’s bank card into the device. A currently less popular method is the PhotoTAN process. This uses a proprietary bank app with which the customer scans a bar- or QR-code to generate a TAN.

Are there any exemptions?

Purchases under EUR 30 are exempt from the directive, as are recurring purchases such as subscription fees for a streaming service. Payments by direct debit or payments upon invoice are not affected. Customers can also place their preferred merchants on a white list. If the bank considers the vendor secure and authorises the merchant, purchases in these online shops are exempt from two-factor authentication.