All online purchases may soon require strong identification

As of the end of the year, you will want to keep your means of strong identification close at hand. The transition period to the EU’s Second Payment Services Directive (PSD2) ends by January 2021, after which the requirement of strong customer authentication will apply to all electronic payments. This includes even small amounts and cases such as refuelling a car using a mobile app. The purpose of PSD2 is to improve payment security and consumer protection. 

Strong authentication will be required every time you pay online with a credit or debit card. This ensures that the service providers and the banks diligently adhere to high standards of information security.

“The security details printed on a payment card do not fulfil the criteria for strong authentication in online payments because the information can be copied. In Finland, strong authentication is most often done through the cardholder’s online bank service”, says Teija Kaarlela, head of e services, payments and banking regulation at Finance Finland (FFI).

Until now, online payments have required strong authentication often, but not every time. The approach has been similar to the PIN authentication in contactless payments, which is based on regular limits and intervals. Service providers have also differed in how often they require strong authentication.

“In the future, you will want to be ready for strong authentication with every transaction, so it’s useful to keep bank access handy”, Kaarlela comments.

With PSD2, printed security codes or one-time password lists will no longer qualify as strong identification by themselves because they can be copied too easily. Other authentication methods have already been implemented to make up for this change.

PSD2 entered into force in September 2019, but a transition period until January 2021 was granted for service providers who use online card payments.

What is strong customer authentication?

Strong customer authentication requires two out of the three following identification methods that work independently from one another.

  1. Something the customer knows (e.g. a password or PIN)
  2. Something the customer has (e.g. phone or hardware token)
  3. Something the customer is (e.g. fingerprint or face recognition)

Still have questions?


Contact FFI experts


Teija Kaarlela

Head of E-Services, Payments and Banking Regulation