Strong customer authentication is now required for online shopping

With the entry into force in full of the second Payment Services Directive (PSD2) on 14 September 2019, online stores and mobile applications are obliged to pay greater attention to checking the identity of the payer. New operators are entering the payment market. Swindlers may also become more active.

As of mid-September, strong authentication of the customer is mandatory in online payment transactions, such as online payments. As a general rule, mere Information of the payment card will not be sufficient in paying online purchases; instead, consumers are required to authenticate themselves with their bank codes, single-use SMS passwords or fingerprints, for example. In traditional brick-and-mortar stores, a payment card and a PIN number will suffice.

When paying or using their account, customers using a paper code card issued by their bank are required to authenticate themselves with an additional certificate, such as an SMS certificate.

The directive allows for certain exceptions to strong authentication of the customer. Authentication is not mandatory for online payments less than EUR 30 in value, or in contactless payments less than EUR 50 in value, for example. There are also other exceptions, but the account-keeper bank may also require strong authentication in situations falling within such exceptions.

New account and payment services              

New operators are also entering the payment market.

Payment initiation service providers enable payments being transferred from a bank account via a party other than the consumer’s own bank. In practice, the consumer may authorise the seller to charge the purchases they make directly to their own bank account without the consumer needing to use their payment card or online bank.

With the agreement of the consumer, account information service providers gather information on payment accounts that the consumer has designated. Based on such information, the consumer may be offered various additional services, such as applications facilitating the management of their economy. The account information service provider may only use, obtain or keep information on the consumer’s payments for a purpose expressly requested by the consumer.

The provision of payment initiation services requires a license, and the account information service providers must register with the banking authorities. In Finland, licenses and registrations are granted by the Financial Supervisory Authority. The Consumer Ombudsman supervises new operators in cases where the user of a payment service is a consumer.

How can the consumer distinguish between reliable service providers and swindlers?

Bank codes must never be disclosed to parties other than one’s own bank. However, the consumer may pay via a licensed payment initiation service provider using their own bank codes.

In practice, before joining a payment or account information service, the consumer should check the basic information on the service provider, such as the company name, contact information, and, also, check the company’s network address. A reliable service provider provides information on itself, its activities, its contact information and on its supervisory authority on its website. However, a swindler may disguise their website to resemble a reliable website.

Consumers may check licensed and registered operators in the registers of the Financial Supervisory Authority and the European Banking Authority.

When in a problem situation, turn to your bank

The adoption of strong customer authentication may initially be accompanied with problems and delays. If a bank has not required strong customer authentication in electronic payments, the consumer may reclaim a refund from the bank. Banks are obligated to give a true image of their liabilities.

If the consumer has used a licensed payment initiation service or an account information service, and if problems arise with payments, the consumer may lodge a complaint with the bank.

Online phishing of bank details has increased, and consumers may be misled to disclose their bank codes to a swindler who gives a superficial impression of being a reliable provider of payment initiation or account information services. If you notice that you have been scammed, immediately contact your bank and ask it to close your bank IDs.