From 14 September 2019, electronic payment transactions will have to be executed with strong authentication protocols or under the application of an exemption (Regulation (EU) 2018/389).
It will be necessary to use two or more elements categorised as knowledge (something known only to the user), possession (something possessed only by the user) and inherence (something that the user is). The combination of card number together with the CCV and the expiry date of the card cannot be deemed an element of reliable knowledge and possession.
Payment service providers and retailers are working on an action plan for the full adoption of strong authentication factors as a measure to minimise the potential impact of this situation, without compromising payment security.
- Deploying the technological solutions that will enable the right balance between security in remote card payments (strong authentication) and the need for user-friendliness and accessibility of payments (exemptions) in the field of e-commerce.
- Adapting the time periods needed by the various stakeholders, including businesses, to adapt their platforms to the new requirements with a minimum impact on the user experience.
This will enable the continuity of these payments in an e-commerce environment where the level of security is very high, as shown by the fraud ratios.
Other useful information
Bank of Spain: Action plan for applying strong authentication on card payments in e-commerce
Bank of Spain: Briefing note on the time frame and procedure for completing the migration to the strong customer authentication (SCA) application in card-based e-commerce payments
EBA: EBA opinion on strong customer authentication (SCA) elements
EBA: EBA opinion on the time frame and procedure for completing migration to SCA in card-based e-commerce payments