Online payments through the Network have been established for decades, but it has not been until the last two that have grown and have practically become the favorites of much of the world. It's easy to pay online, it's fast, but sometimes it can be very insecure, which is why the European Union has launched a new directive called PSD 2 to make online payments safer throughout the EU between users and companies.
The Second Payment Services Directive (PSD2) It is a regulation that aims to strengthen the security of digital payment services and reduce frauds that occur when making online transactions. The PSD2 regulation entered into force on September 14, 2019 and is mandatory for all companies in the European Economic Area that carry out online transactions.
The "Enhanced Authentication ”or SCA It is one of the requirements imposed by the regulations by which a merchant is forced to make a multiple authentication of the client. The goal with this is to confirm that indeed it is the same owner who is in charge of making the online purchase. In fact, from September 14 the banks will be able to refuse payments that do not meet this requirement.
How PSD 2 affects the user
How does this new regulation for businesses and businesses ultimately affect users? Basically in that Now everything will be done through the mobile, discarding the elements such as coordinate cards -the typical physical card that the bank gives you with a series of PIN codes to use to validate an operation when shopping online. According to the OSI, the Office of Internet Security, “you will need your mobile device to be able to make purchases over the Internet, since, since this measure is mandatory, the identification by means of coordinate cards disappears ”.
From now on, each bank will decide “How it manages to identify you unequivocally using at least a double authentication factor. Some banks will ask their customers to install an application on their mobile device and others them they will send a code via SMS ”.
The methods that the SCA will require and exceptions
Enhanced Authentication will require that companies must use a minimum of 2 of the following 3 authentication methods:
- Something the user owns: such as a mobile.
- Something the user knows: such as a PIN or password.
- Something inherent to the user: such as biometric or voice recognition.
In addition, one of the three methods must meet the following requirements or not be valid:
- It will preserve the confidentiality of the rest of the authentication elements;
- It cannot be replicable or reusable;
- It cannot be stolen through the Internet.
As in any process, there are exceptions, and neither the companies nor the user will have to comply with the new EU regulations in the following cases:
- The payments below € 30 They do not need client authentication. However, if several payments are made less than that amount that exceed € 100 or exceed the amount of 5 transactions, the bank will require authentication.
- Payments made on a recurring or fixed basis will be exempt after applying the SCA for the first one. Recurring transactions initiated prior to the PSD2 obligation will not have to be authenticated.
- Trusted stores in which the user has added to your "White list".
- Those payments in which One of the parties is outside the European Economic Area.
- The payments made in person They would also be exempt from the regulations, unless the payment is made through contactless technology and exceeds the amount of € 50.
- Payments made with tcorporate cards.
- Phone sales.
- Operations whose payment has been initiated by phone or email
According to the OSI, it is important that "you understand and know what are the guarantees offered by the measures implemented":
- If something fails during the authentication process, You should not be able to know which authentication item was incorrect.
- He number of failed attempts to block temporarily or definitively the user will be maximum 5 attempts in a given time.
- The communication sessions will be encrypted and protected against manipulation by unauthorized persons.
- After authentication, the user You cannot remain inactive for more than 5 minutes