Tuesday , April 23 2024
Home / News / Economy / SCA: EU’s new security standards for card, e-commerce payments

SCA: EU’s new security standards for card, e-commerce payments

Rapid changes in the payments industry, the rise of e-commerce and the constant threat of fraud have led the European Union (EU) to update its Payment Services Directive (PDS), which has regulated the electronic payment services industry since 2007. The EU’s new PSD2 directive (2015/2366/EU), has gone into effect as of September 14, 2019. One of the most relevant changes relates to the security of electronic payment transactions, both through e-banking sites and online stores.

What is Strong Customer Authentication?

Effective Sept. 14, 2019, users must confirm their identity through strong customer authentication during a transaction. Authentication occurs by combining two or more factors between elements categorized as knowledge (something only the user knows, such as a password or PIN), possession (something only the user possesses, such as a mobile device or app) and inherence (something the user is, such as a fingerprint, facial scan or other biometric feature). The authentication factors must be mutually independent so that the breach of one does not compromise the reliability of the others.

The Hellenic Bank Association (HBA) has announced the changes on Sautrday, saying that the  new security requirements apply to the following types of transactions:

– Contactless card payments at POS terminals. The cardholder will be required to use a PIN to complete its contactless transaction when they exceed a certain amount.

– Individual payments in an e-commerce environment. The card issuer (bank, electronic money institution, etc.) will be required to provide strong identification of the cardholder and his transaction.

Combined security factors such as fingerprints, e-banking codes, PIN cards, password, unique one-time SMS-based codes, push notification on the mobile phone, etc. should be used to achieve robust identification.

The Hellenic Bank Association (HBA) says it has already taken the necessary steps to promptly respond to the new mandatory regulations.

Bank customers have received or will receive detailed briefing and further information from banks.

The Piraeus Chamber of Commerce & Industry also released some additional explanatory guidelines:

1. What does strong customer identification mean?
SCA is a verification process that certifies the cardholder, such as a piece of information that only the user knows, or an authentication code generator, e.g. the use of a fingerprint.

2. What about e-commerce internet shopping?
SCA during the purchase will be achieved through: web or mobile platform banking codes, which is something the customer knows and SMS extra Pins or push notifications, which is something sent to the customer. Purchases in online stores within Europe with bank cards, be they debit, credit or prepaid, will require web banking codes and a mobile phone registered with the bank to receive extra Pins.

3. How does an e-commerce card transaction take place with strong identification?
SCA applies to online card transactions in EU countries. At the time of payment and after entering the card details, you will be asked to identify yourself in the following ways: a) the user codes you use to enter the Bank’s web banking page and b) a unique password, which will be sent to you with an SMS extra PIN or push notification on your registered mobile phone.

4. Does SCA apply to all bank cards?
The robust identification process applies to all credit, debit, and rechargeable prepaid cards.

5. Does SCA apply to electronic card transactions to countries outside the EU?
No, it applies to card transactions at online stores located in EU countries.

6. Can I make an e-commerce card purchase without SCA?
Up to 30 euros’ worth of online transactions will not require strong identification for a purchases-total of up to 100 euros, beyond which SCA applies.

7. Are there any changes in contactless card transactions after September 14?
There will be a limit on contactless transactions, without the use of PIN, cumulatively up to 150 euros. Once the limit is reached, the PIN will be required to be entered into the POS terminal, even if it is less than 25 euros. Each time you make any type of transaction using a PIN, the 150 Euro limit will be set to zero.

8. So the EUR 25 threshold is no longer valid? How much can I do without a PIN?
The EUR 25 limit for each contactless transaction shall continue to apply. For transactions up to 25 euros, you do not need to enter your PIN. You will need to enter it as soon as the total amount of contactless transactions, without a PIN, exceeds 150 euros cumulatively.

9. Why does the EUR 150 limit apply to the total amount of card transactions without a PIN?

This threshold has been set under the new PSD2 and there is no exception. The directive is intended to make payments safer, simpler and more efficient. This directive modernizes payment services in Europe for the benefit of both consumers and businesses. If you regularly trade with your card by typing in your PIN, such as cash withdrawals or ATM balance inquiries, or purchases over 25 euros, then you may not need to enter your PIN in transactions below 25 euros.

10. Does the EUR 150 limit on contactless transactions, without a PIN, apply to card transactions both within and outside the EU?
It is valid for successive contactless card transactions only in countries within the European Economic Area (EEA), which are the member states of the European Union and Norway, Liechtenstein and Iceland.

11. If the EUR 150 limit for contactless transactions is reached without a PIN and I perform a non-EU contactless transaction, what will happen?
Your intangible transaction with a card outside the EU will be executed as it has been thus far, without being affected by this directive. The cumulative threshold of EUR 150 does not apply to transactions outside the European Union.

12. Is the ‘zero’ limit of EUR 150 in contactless card transactions reset with each transaction using PIN?
Yes, any transaction using a PIN in EU countries, a trader or an ATM, resets the threshold.

13. Is the cumulative limit of EUR 150 on contactless card transactions limited by time?
It has no time limit. It resets any transaction with a PIN card at any time.

14. I have an additional credit card. Will I have a common limit with the primary card for the amount of transactions without a PIN?
No, each card has its own limit.

sources: amna, securityintelligence

PS “Combined security factors such as fingerprints, e-banking codes, cards PIN, password…” What? Do we have to enter our very private security data to unknown networks or have I got the new security system for cards and online payments wrong?

Check Also

Easter 2024: Extended opening hours for shops

Shops and stores in Greece will operate with extended opening hours for the period of  …


  1. christ, just use cash already, enough of this bankers nonsense!

    • no matter how many security procedures there are, there’s always someone who will figure out a way to defeat them, and don’t forget, you’ll have ti get the cash from a bank…