ControlCenter

Login to your statistics area.

Not registered yet?

 
alt

News: JTL plugin now compatible with V4.x including manual. Learn more.

PSD2 - the new Payment Services Directive

new obligations for online banking and payment on the Internet

With the revised Payment Services Directive (PSD2), which has come into force since 13 January 2018, the European Union has fundamentally changed the payment landscape and PSD2 determines how payments within the European Economic Area will be processed in the future. Above all, banks and financial institutions face major challenges in the implementation of the requirements, especially as they – among others – are obliged to provide third-party payment service providers with access to their banking systems. But even online merchants must comply with the new requirements.

Aimed to better protect online buyers, the PSD2 demands more security in online purchases and introduces strong customer authentication (SCA) - also known as two-factor authentication.

strong customer authentication with Micropayment

strong customer authentication for online transactions

micropayment is PSD2 Ready

As of 14/09/2019 , an online transaction, must be verified requesting two of the following three characteristics: possession (e.g. map, mobile), knowledge (eg. PIN) or personal or physical characteristics (""inherent"", e.g. fingerprint, face recognition). Concretely, a physical item such as a smartphone can be combined with a one-time password or fingerprint before the online payment can be made.

The use of strong customer authentication for all online transactions will be mandatory (with a few exceptions) as of 14/09/2019 , as new regulatory technical standards of the European Banking Authority will enter into force at that time .

What is strong customer authentication?

The authentication of a transaction must contain two or more of the following criteria:

fingerprint

something you know

  •   password
  •   passphrase
  •   PIN
  •   number sequence
  •   secret question

something you are

  •   fingerprint
  •   lineaments
  •   voice recognition
  •   iris recognition
  •   DNA signature

something you own

  •   mobile phone
  •   wearable devices (e.g. smartwatch)
  •   smart card
  •   token
  •   badge


Strong customer authentication is always required if

  1. someone accesses their payment account online
  2. someone triggeres a payment process electronically or
  3. someone remotely takes action that carries the risk of fraud in payment or other misuse.

In addition, the following criteria must be met:

  • if an element was not entered correctly, there must be no indication of which element was wrong.
  • multiple incorrect entries lead to blocking
  • Timeout after successful login at inactivity = 5 minutes


In future, nothing other than a fingerprint that is queried via the customer's mobile device will be required to authenticate and release transactions. Instead of relying on the traditional password (""something you know""), your customers can now combine ""something you own"" (e.g. a smartwatch) with ""something you are personal"" (e.g. a fingerprint).

example: strong customer authentication in e-commerce with credit card (fingerprint)

strong customer authentication in e-commerce with credit card (fingerprint)

Who needs to employ strong customer authentication?

Pursuant to Art. 97 PSD2, PSPs must implement strong customer authentication requirements.

From the PSD2 follows that the requirements for strong customer authentication apply ""only"" to the payment service providers defined in the PSD2. As a merchant and website operator, you are therefore not required to comply directly with the directive.

Small payments less than EUR 30.00 (gross) still do not require strong customer authentication. However, this will only apply up to a total amount of EUR 150.00 or five consecutive payments, with the period for these successive payments not being determined. The payer's bank keeps track of the amount and the periods of payments made.

For subscriptions or recurring transactions with a fixed amount, only the first transaction that triggers the subscription must be released with strong customer authentication, and subsequent transactions can be executed without strong customer authentication. If the amount changes, a new strong customer authentication for each new amount is requirred.

We see a challenge in recurring transactions with changing amounts. However, regulators have confirmed that ""merchant-initiated transactions"" are outside the scope of strong customer authentication requirements under PSD2, so most subscription payments are not affected by strong customer authentication.

Phone payment transactions are in all cases not affected by strong customer authentication. MOTO transactions (mobile order/telephone order) are not considered ""electronic"" payments and are therefore outside the scope of PSD2.
Payments between two companies can still be implemented without strong customer authentication when using a payment method that is intended for such B2B payments. The methods of payment are determined by interpretation by banks and regulators. The most common payment methods such as debit and credit card will be among them.
Payments where the issuer of the payment card is not located in the European Union are also excluded from strong customer authentication. This means that the acceptance of payments from non-European buyers within Europe will not continue to be a problem.

What are the exceptions?

Appropriate exceptions may be requested for certain transactions. Such exemptions are designed to ensure that customers can enjoy a simple shopping experience with added security. Among other things, there are the following exceptions to the obligation to perform strong customer authentication:

perfectly equipped

Micropayment solutions combine comfort and security

psd2 compliant payment window

The introduction of the new procedures require highly acceptance from consumers and merchants. To ensure that the payment process in your online shop is not overly influenced by the new authentication methods, Micropayment is currently working together with the cooperation partners on solutions to enable convenient payment processes that meet the requirements of the PSD2 guideline.

The ultimate goal is to make all transactions as secure as possible and to implement all legal requirements in a timely manner. Micropayment payment window transactions will meet strong customer authentication requirements as of September 14, 2019 . The factor of inherence plays an important role, as it transmits behavior-based information to a transaction.

While the new requirements will undoubtedly bring challenges for businesses and banks, Micropayment solutions will mitigate the impact on your online store.


If you use the Micropayment payment windows , you are well prepared for the PSD2 and strong customer authentication requirements. While the new requirements will undoubtedly bring challenges for businesses and banks, Micropayment solutions will mitigate the impact on your online store.

If you use our API interfaces , please contact us separately. From the PSD2 follows that the requirements for strong customer authentication apply ""only"" to the payment service providers defined in the PSD2. As a merchant and website operator, you are therefore not required to comply directly with the directive. By using our API interfaces, however, there are indirect obligations to support payment service providers in implementing strong customer authentication. By using our API, it is always possible to carry out your own implementation of strong customer authentication right now, if you wish.

Ready for your next project?

Request for Micropayment now without obligation and receive your personal offer.

Give us a call or send us an e-mail and we will get back to you as soon as possible!