How authentic are your banking transactions?


We are not teaching you anything new if we tell you that purchases and payments on the Internet have gradually increased. This has led to the adoption of a significant number of rules in recent years to ensure the security of these transactions and to avoid any possible risk of fraud.

Since September, noteworthy among the electronic payment protection measures established by the current regulation has been the obligation to require users to have Strong Customer Authentication (SCA).

What is strong authentication? Until now, when you made an Internet purchase, in most cases it was enough to give the card number, expiration date and the CVV (the security code on the back). However, these items are no longer sufficient in terms of security.

Authentication serves to verify the identity of the user who is making a payment. In other words, this protocol is intended to verify that the person who pays is who he or she claims to be. Strong authentication also requires that at least two different data are used in the payment to prove identity in order to reduce the risk of fraud. These data are called authentication factors, they must be mutually independent and can consist of

  • something the customer knows (knowledge factors), e.g.: a password or PIN.
  • something the customer possesses (possession factors), e.g.: a mobile device or token, mobile phone notification (OTP), etc.
  • something the customer is (inherence factors), e.g.: fingerprint, iris recognition, etc.

Strong authentication will mainly affect:

  • e-commerce payments,
  • electronic payments with your card,
  • actions by a remote channel that involves a risk (for example, logging in to certain apps or websites where you store certain sensitive information, or transactions that you can perform through your bank's app or website). 

However, the implementation of the strong authentication mechanism is not simple, as it entails major changes for the players involved (consumers, e-commerce, institutions). Thus, a period has been established at European level, until 31 December 2020Abre en ventana nueva, for payment service providers to adopt the necessary technology.

Following Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015, better known as PSD2, and Commission Delegated Regulation (EU) 2018/389 of 27 November 2017, Royal Decree-Law 19/2018 of 23 November on payment services and other urgent financial measures was approved in Spain, repealing Law 16/2009 on payment services. These rules constitute the new regulatory framework for payment services and their main objectives are to improve the security of their use on the Internet, to strengthen consumer protection against fraud and to promote innovation in mobile and Internet payment services.

Did you find this information useful?