Online Commerce: Obligation to Two-Factor Authentication
On September 14, 2019, Germany introduced stricter standards for payment in online commerce as part of the implementation of an EU directive. For example, it will no longer be possible to pay "simply" by entering credit card details. Instead, customers must always identify themselves by another security factor in order to complete the payment process. The EU Commission is thus pursuing the goal of curbing fraud with stolen credit card and access data on the Internet. Possible factors for this so-called strong customer authentication (more commonly referred to as two-factor authentication) are
- something that only the user knows (e.g. a password)
- something that only the user has (for example, an SMS to a smartphone),or
- something that the user him-/herself is (for example, biometric evidence such as a scan of the fingerprint).
Two of these three factors must be met for each payment transaction. This means a lot of work for banks and payment service providers: they have to set up an additional authentication factor for the payment process and ask the customer about the desired type of identification. Who offers goods or services online must install software that queries the additional security factor during the payment process. In case of non-compliance, an unpleasant scenario may arise: if the bank or payment service provider have done their homework, the payment process fails and the online transaction is not completed. Then the golden rule on the Internet applies: "The competitor is just one click away".
10th October 2019