Try to login 1000 times a day, even without doing any payments. One of factors for such decision may be recurrence. Your bank uses this formal right not to do that. This means that if you only login to your account and don't do any payments, your bank is not required to apply "strong customer authentication". Payment service providers not to apply strong customer Service provider, pose a low level of risk, thus allowing Natural or legal person with accounts with the same payment Strong customer authentication, and payments to and from the same Previously set up or confirmed by the payer through the use of Recurring payments to the same payees which have been Of a payment account without disclosure of sensitive payment data, For instance:Īctions which imply access to the balance and the recent transactions Briefly: risk estimation should take into account many different factors. Why? Because the rule above was applied: You are using other channel that has higher risk compared to access from your country. Try to travel to Afghanistan or Marocco and login to your account. The payment channel used for the execution of the payment transaction. Have been defined based on the level of risk, amount, recurrence and exemptions to the principle of strong customer authentication More security often means less friendliness and worse user experience.
The requirements of strong customer authentication apply to
Mainly, this "strong customer authentication" is applicable to payments: To put it simple, "strong customer authentication" is a multi-factor authentication, 2FA or stronger. In the generation of an authentication code. In accordance with Article 97(1) of Directive (EU) 2015/2366, theĪuthentication shall be based on two or more elements which areĬategorised as knowledge, possession and inherence and shall result Where payment service providers apply strong customer authentication The PSD2 defines what operations have higher risks and need a "strong customer authentication". If the bank requires 2FA once every 90 days also for payments, then this very probably violates the PSD2 requirements and does not improve security.recurrent payments to the same receiver), then your bank seems to seek for balance between security and friendliness, and seems to be compliant with PSD2. If the bank is requiring 2FA every 90 days for login only, but requires it for every payment (see exceptions below, e.g.For example, when accessing transactions older than 90 days, I get the same “start code” prompt. In fact, I feel this lessens security because the ChipTAN device that is my second factor only shows a cryptic “start code”, so I'm not sure if the action I'm authenticating is in fact a renewal of the 90-day period or something else. This does not seem to be very uncommon, at least in Germany. They even show a notification before the 90 days have expired so I can re-start the 90-day period early, which means that my account is always “activated”. I would like to know how requiring SCA every 90 days improves security over not requiring SCA at all, at least for viewing account information.Īs an example, for my bank, this means that the login to their online banking requires the second factor every 90 days. (b) more than 90 days have elapsed since the last time the payment service user accessed online the information specified in paragraph 1(b) and strong customer authentication was applied. That article also has an exception to the exception stating:įor the purpose of paragraph 1, payment service providers shall not be exempted from the application of strong customer authentication where either of the following condition is met: However, there is a “delegated regulation” 2018/389, Article 10, which adds an exception that SCA is not required to view account information, specifically the account balance and transactions from the last 90 days. PSD2 requires two-factor authentication, which they call strong customer authentication (SCA).
0 kommentar(er)
