Paying for online purchases will become safer and cheaper through two-factor authentication from September through an EU directive. An overview of new online payment practices.
What does two-factor authentication mean?
When a user makes a purchase online, it should be ensured that this person is actually authorized to do so. For example, if a hacker gets access to a customer’s login information, the customer can shop through the customer’s account. At least if only one factor is required to identify yourself as the owner of an account, in this case the login data, i.e. username and password.
Two-factor authentication is intended to prevent precisely this case by querying a second factor on the user’s identity before ordering. In the example, this could be a PIN that the customer receives on his mobile phone and has to enter. This would make it much more difficult for the hacker to misuse the customer data, because he would also need the customer’s mobile phone in order to be successful.
Two-factor authentication therefore means that at least two out of three factors must be present for an online order to be carried out.
These factors can be something that only the legitimate user has (for example, a smartphone), only the user knows (for example, a password), or only the user is (for example, biometric evidence such as a fingerprint scan).
Changes in payment in online shops
Until now, consumers have simply logged on to payment services with their access data in order to use the offer. Now that strong customer authentication is required, they will have to identify themselves through additional factors in the future.
In addition to a password or PIN, credit card or bank card data, these can also be codes that are sent to the mobile phone. Mobile TANs via SMS (mTAN) or photo TANs via smartphone apps are available for this purpose. Transaction numbers sent by post will be prohibited in future. Modern functions such as fingerprint recognition or certain software for voice and face recognition have been added. The directive also enables third-party payment providers to trigger payment transactions directly. This means that there is no longer any need to go through the bank to debit the account. This requires a new interface to the account, which banks make available after registration.
This new payment procedure should be an alternative to the established payment by credit card or PayPal. The new competition between banks, online merchants and credit card providers will at best result in greater user-friendliness.
Strong customer authentication ensures that no unauthorized person makes payments with another account. For this additional verification, a unique security code can be used, which is sent as mTAN via SMS, for example. Depending on the bank, this verification takes place either at each access or every three months.
According to the new directive, unlocking the app with the password, fingerprint or face recognition is also no longer sufficient for banking apps for the smartphone. The regulation also applies to third-party financial apps that can be used to manage multiple accounts.
Pay by credit card
In the future, online purchases with a credit card will require more than the credit card number, expiration date and check digits. Security services such as “Verified by Visa” or “Mastercard SecureCode” already require an additional TAN for online orders.
However, online shoppers can also confirm legitimate payment with fingerprints or facial recognition. Many financial institutions already offer such identification via biometric features such as fingerprints in their apps. Other providers would have to retrofit by the deadline. With these measures, the EU Commission wants to make it more difficult for fraudsters to use stolen credit card and access data.
Paypal, Paydirect & Co.
Some service providers offer procedures in which you pay for online purchases without logging in. Paypal uses “One-Touch” or Amazon “1-Click”. The extent to which they implement the provisions of the EU Directive is still unclear.
Low value purchases
A possible exception for the additional proof is possible for small amounts under 30 Euro. Strong authentication is only necessary again if five purchases have already been made without it or if the total amount is over 100 euros.
To avoid the need for constant strong authentication, buyers could tell their bank their favorite online stores. These are then placed on an exception list of secure payment recipients – a “whitelist”. After a single authentication, payment transactions are just as convenient as before. However, the banks are not obliged to offer this to their customers.
Another option is transaction risk analysis (TRA). If banks consider the risk of a payment to be low, the new authentication can be bypassed.
The trade association HDE also criticises the exception lists. It warns that it will intensify a concentration on large shops and platforms such as Amazon. Consumers are more likely to enter the shops where they shop frequently anyway and would buy even more frequently in these shops in the future due to the conditions.