End of the grace period: Stricter rules for paying by credit card


When paying by credit card on the Internet, consumers have to get used to stricter security regulations, even for smaller amounts. From this Monday (March 15th) onwards, the obligation for so-called two-factor authentication also applies to amounts up to 150 euros. This means that customers usually have to prove in two separate ways that they are the legal owner of the payment card.

The requirements for credit cards are particularly strict because the number and check digit of these cards can be spied out relatively easily, for example when using them in restaurants. That is why having a credit card is not enough. According to the new rules, consumers need two additional security factors for credit card payments when shopping online: for example, password and transaction number (TAN). This is to prevent misuse of the cards even better.

The implementation is slightly different depending on the card-issuing bank: some customers receive the one-time TAN number to approve online payment via SMS to a telephone number stored in advance at the bank. Other banks have the purchase confirmed via a special app by entering a PIN or taking a photo of a barcode. Biometric methods such as fingerprints or facial recognition for approving a payment with two factors are also technically possible.

Actually, the obligation to “strong customer authentication” according to the new EU rules (“Payment Service Directive” / “PSD2”) has been in effect for every payment in online banking and when shopping on the Internet since September 14, 2019.

But because some dealers had problems implementing the plan, the financial supervisory authority Bafin initially gave a postponement until the end of 2020. Shortly before Christmas, the authority announced that January 1, 2021 as the start date could not be kept. Instead, a tiered model applied: Since January 15, 2021, payments of EUR 250 or more must be approved with two independent factors, and since February 15, “two-factor authentication” has been in effect from EUR 150. The stricter security regulations for online payment by credit card are now fully effective from March 15th.

Whether consumers actually have to approve each purchase on the Internet with additional entries depends on the bank from which the payment card originates. For example, if a customer buys more often from the same online shop, a financial institution could forego having the payment released there with two factors each time. The two-stage process of strong customer authentication could also be dispensed with for payments under 30 euros.


To home page