September 14 represents another milestone for PSD2: by September 14, 2019 at the latest, payment service providers in the EU should have to carry out “Strong Customer Authentication” (SCA) if the payer triggers an electronic payment transaction.

The new term “Strong Customer Authentication” uses two independent elements to identify the payer. The elements must come from two of the following three categories:

  • knowledge,
  • possession and
  • inherence.

Examples are a password (knowledge), a mobile phone (possession), or a fingerprint (inherence).

The new SCA requirements are now supposed to be used for credit card payments on the Internet as well. Currently used authentication via entering credit card number and CVV number does not meet the new requirements. Rather, two additional elements from the above-mentioned categories must also be used. Exceptions to the new requirements are strictly limited and include, for example, certain small amount payments.

BaFin has already announced, however, that it will postpone SCA for credit card payments for the time being (see https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Pressemitteilung/2019/pm_190821_PSD2_Kundenauthentifizierung_en.html). Payment service providers have therefore gained some time to prepare for the implementation of the new PSD2 requirements in Germany. It will be necessary, however, to closely observe how BaFin develops in its position.

Download our previous articles on PSD2 topics here:

February 02, 2019 One year of PSD2 – current developments

On to the final round: The European Commission’s final RTS on PSD2

Practical tip: The SCA requirements primarily affect payment service providers, although other e-commerce players, such as online stores, should also check with their payment service providers to see if the SCA requirements are being met.