This is an additional layer of security that, in practice, will mean confirming the payment each time a purchase of more than 30 euros is made
From February 1, card payments that exceed 30 euros they will require double authentication; that is, the presence of two security measures to increase the protection of bank users and the operations themselves.
In reality, the measure should have been implemented on January 1, 2021 (the regulation came into effect in September 2019, in fact), but the deadlines were made more flexible to minimize problems as the sector was not fully prepared.
The measure, known as Strong Customer Authentication (SCA, for its acronym in English) will affect both face-to-face stores and online businesses and is included in the regulation on payment services for all of Europe, as explained on the Community of Madrid website.
The reinforced authentication includes “many of the banking operations that we carry out daily, such as access to our account on the internet, electronic payment, card payment in an establishment, as well as actions carried out from a remote channel and can pose a risk of payment fraud “.
Broadly speaking, what this protection does is add a second lock; an additional step when it comes to verifying that whoever uses a card really owns it. Similar protections are already used by several social networks and online services and send a one-time code to the user’s phone after the user enters the correct password.
In this case there will be three “independent” elements: knowledge, possession and inherence. At least one of them must preserve the confidentiality of the rest, not be replicable, not be reusable and cannot be stolen online.
Thus, the knowledge would be something that only the customer knows, such as a key, code or the answer to a certain question. For its part, the possession would refer to an object that the client has (the most common would be a mobile phone), while inherence refers to something of the person himself, such as his fingerprint or his face in facial recognition systems.
In practice, what this will mean is that when going to make a payment of more than 30 euros, in addition to entering the password, we will be asked one more step, which may be to enter a code received in the phone. If the payment is not made by card, but by mobile phone, the measure could be to request a fingerprint (this could be done by the phone itself, since it would combine the possession of the phone with the inherence).
In addition, double authentication could also be required for payments of less than 30 euros if they have already been made at least five times or if they have already they have exceeded 100 euros in purchases after the last time this additional step was requested.
However, there will be exceptions: periodic subscriptions (services such as Netflix, HBO or Spotify, for example), some contactless payments in establishments (where the limit will be 50 euros) and operations in which the payment has started by phone or email.
One of the most notable changes will be the access and use of payment accounts, which will mean that when making transfers or payments with the account, an additional password could be requested in addition to the password itself. service. The most normal thing would be to have to enter a code received on the mobile. The same will happen when making a purchase online or in person.
There will be a maximum of five attempts to apply Strong Authentication, which must also be ‘resolved’ within five minutes: this will be the maximum time to wait when entering a password. validation code sent to the phone.