The rise of e-commerce has brought with it its share of scams and frauds. And the digitization of a good number of transactions since the start of the health crisis has not helped the situation. While institutional players and consumer associations regularly call on users to be vigilant, new legislation intends to make payment on the Internet more secure.
The EU in action
This awareness of the financial challenges of online transactions is not new. The second European directive on payment services in the internal market, known as PSD2, aimed at regulating these modes of consumption, dates from November 25, 2015.
However, it was not until 2018 that it gradually entered into force in the Union. As some measures involve complex technical standards, additional adaptation periods have been granted to financial institutions. At the end of an extended transposition schedule, a change has been underway since the end of 2020: that of strong payment authentication.
The user manual
This device aims not only to strengthen the security of Internet purchases, but also access to online accounts. It is during the stage of verifying your identity that the legislator has accelerated. Previously, it was common to be able to shop by simply entering your bank details on the secure area of the e-commerce site. Likewise, the simple sending by your bank of a one-time code by SMS (3D Secure device) to be entered on the merchant site is no longer sufficient.
The new standard now consists of verifying that you are the originator of the payment or of the connection to your customer area using at least two or three of the following security elements: asking you for private information (password pass, secret code, secret question…), impose the use of a private device (smartphone, smart card, connected watch…) and go through the use of a personal characteristic (fingerprint, facial recognition…).
While each bank offers its own system, in practice the process often involves validating its payment using the banking establishment’s mobile application, by connecting to it using their access code or their fingerprint.
The operations concerned
The generalization of strong payment authentication has been phased in over the past few months. Initially limited to transactions over 2,000 euros at the end of 2020, the bond threshold was then gradually lowered to 1,000 euros in January 2021, then to 500 and 250 euros, reaching 100 euros in mid-April. As of May 15, all other transactions must be submitted, at the risk of being refused by the bank.
Faced with a cumbersome daily verification process, the legislator excluded certain transactions. This is particularly the case for small online purchases that do not exceed 30 euros, provided that you do not accumulate more than five consecutive purchases and that the total amount does not exceed 100 euros. Likewise, your recurring payments for the same amount and for the benefit of the same beneficiary (such as rent) escape this security reinforcement.
The users’ puzzle
What should you do if you don’t want to install your bank’s mobile application? You will still have to use your smartphone to validate the payment on its website using a unique SMS code. What if the phone is too old? Some banks market reader boxes which make it possible to obtain a one-time code when the CB is inserted therein, in order to carry out operations from their computer. Except that this solution is tedious and paying.
Unfortunately, as confirmed by the telephone information platform ABE-InfoServices, dedicated to the financial sector (34 14), the law does not provide for a free alternative. What force the followers of online purchases on computer to pass the course of transactions via a mobile.