On 14 September, the directive on payment services in the European Union entered into force. It imposes on banks and payment institutions, including intermediaries in online payments. Including the need to introduce the so-called strong (double) authentication when making electronic payments.
For buyers and online payers, the new rules mean changes in the identity verification process for e-shopping. Strong authentication will require the use of at least two of three elements: something that the customer knows (e.g. PIN or password), something that the customer has (e.g. phone) and something that the customer is (e.g. fingerprint, face recognition or voice) – experts from PayU explain.
When paying with a pay-by-link transfer, double authentication will involve e.g. logging into electronic banking (something the customer knows – the password). In addition, e.g. rewriting the code received in the SMS (something that the customer has – phone ). It is therefore worth having a telephone with you when shopping online.
For certain exceptions (e.g. low-risk transactions or transactions below 30 euros), the bank will still be able to decide on the authentication of transactions on the old principles (e.g. without having to enter the SMS code). Know more information about the recent cybersecurity attacks in 2019 and details.
Users paying by credit or debit card can expect changes in going through the 3D Secure procedure so that it fully meets the requirements of strong authentication.
This can mean, for example, in addition to entering the code from the SMS (something that the customer has). The need to log into the bank’s electronic banking – card issuer or confirmation of payment via biometrics. By logging into the application mobile bank – card issuer (something that the customer is – a fingerprint).
However, acquirers may still apply exceptions to strong authentication, enabling payment with a saved card without the need for the 3D Secure procedure.
The least changes will be noticed by BLIK users because this solution already uses double authentication. Which is a one-time code generated in the mobile application (something that the customer has) and login to the bank’s mobile application.
Payments for subscription-based services i.e. repeated payments of the same or different value to the indicated merchant will also be exempt from strong authentication. Only the moment of consenting to cyclic charging and saving the card will require strong authentication. You can still create lists of trusted recipients or place orders constantly and here strong authentication will be required once.
The introduced changes are to increase the security of online transactions. Especially recently, when there are more and more frequent attempts of fraudsters by card frauds or to log into e-banking.
What is Changing in Banks?
According to experts from the Bankier.pl website, e.g. PKO BP customers can use mobile authorization in the IKO application and a two-step login to the iPKO and Inteligo e-banking system. After enabling it, when logging into e-banking, in addition to entering the iPKO / Inteligo password as standard, the client will also confirm logging in in the mobile application.
As before, you can use various forms of authorization, e.g. SMS codes or one-time codes from the code card.
When logging in to online and mobile banking, Bank Pekao will require at least every 90 days to provide an SMS code or a code generated by the ProPay application. The customer must also provide the code if the transaction history is older than 90 days. Or when making a payment transaction.
If strong authentication is required when logging in to the ProPay mobile application, the customer will be asked to enter the PIN. Even for the biometric login set. For payment transactions, a number of exclusions from strong authorization will apply, e.g. transfers between own accounts or to defined recipients.
This bank decided to withdraw authorization methods incompatible with strong authentication (one-time code card, token). And leave authorization methods based on SMS codes and push messages (from the PeoPay application).
Santander Bank Polska will always require strong authentication. Additional security (except for the password) are token, smsKod or mPodpis (customer selection). A new feature is the ability to define the computer as a trusted device. Then additional security will only be required from time to time.
When logging in to online banking, mBank will ask customers to provide an SMS password or confirm the operation with mobile authorization. The exception will be when the customer adds the computer to trusted ones. Then the bank will only ask for additional login confirmation sometimes.
At ING Bank, the system may ask you to enter the authorization code from an SMS while logging in. Therefore, you will not need to confirm each login in two stages – SMS will be required for some logins. When the user logs in, the security system will assess whether an additional authorization is needed. The bank will not use mobile authorization for logging into the account.
Additional login confirmation may also appear in the mobile application. Then the bank will ask not only for your fingerprint or PIN but also for both securities.
Be careful outside the Union.
When traveling abroad to countries outside the EU, check what additional methods of authentication are required by the bank. From September 14 and choose one that does not require enabling data transfer, e.g. SMS confirmation. The costs of receiving incoming messages are usually covered by the network – ZBP reports.
Changes May take Advantage of Scammers.
The Polish Financial Supervision Authority draws attention to the need to exercise extreme caution. Appeals to clients of financial institutions to comply with the communication standards established by these institutions.
Suspicion should arouse all kinds of emails, SMS and telephone contact attempts citing the entry into force of new solutions. Where the customer is asked to provide information containing sensitive data. That is login details for electronic banking, authorization codes, and PINs, personal data.
Or is informed about a blocked account or is asked to click on a link sent by email or SMS, change the password or other login details. Using the sent link, open a suspicious attachment, launch or install the sent application If in doubt, contact your payment service provider.