More security in ecommerce through multi-factor authentication

by Kristof Maletzke, 06.08.19

On 14 September, new regulations of the EU directive PDS2 will come into force that will introduce permanent changes to online shopping. The regulation will start enforcing multi-factor authentication. That means, instead of only entering for instance a password when buying in an online shop, customers will often have to authenticate themselves in another way – for example via SMS.

Security in ecommerce remains an important topic for customers as well as merchants. Many customers fear identity theft and misuse of their payment information. This topic is also relevant for shop owners, because payment defaults caused by fraudsters are very unpleasant. By introducing the Payment Services Directive 2, also known as PSD2, the EU aims to prevent such scenarios.

What is the PSD2?

From 14 September, payment service providers in the EU will be obliged to implement new requirements. The PSD2 has various aspects, among which multi-factor authentication (MFA) is particularly relevant for online merchants.

What does multi-factor authentication mean?

Up until now, customers have been able to pay online, for instance, just using their password. Multi-factor authentication, on the other hand, requires customers to use a combination of at least two independent authentication methods when shopping online. So, there might be another step in the payment process.

For example, a password must be combined with a physical object such as a smartphone. In order to pay, the customer then enters a code in addition to his password, which is sent to him via SMS. This verifies the identity of the buyer. If a hacker captures a customer’s password, he will not be able to execute an order.

The authentication factors must come from two of these areas:

  • Something the customer knows – such as a password, a PIN number or the answer to a security question (“What was the name of your first pet?”).
  • Something in the customer’s possession – such as a chip card or a particular smartphone.
  • Something inherent to the customer – such as his fingerprint or voice.

Whether multi-factor authentication is required for an online purchase depends on several factors. For example, it is not required if the order value does not exceed EUR 30, or if a payment company considers the risk to be low based on available data.

What do ePages merchants need to know?

The good news is that you don’t have to take any action in your shop. The payment service providers are responsible to comply with the changes. They have to ensure that the requirements are implemented until the deadline set by the European Union. For payment methods that are directly embedded in the ePages shops, such as Amazon Pay, we will take the necessary measures from the shop side by 14 September.

Nevertheless, merchants are advised to contact the payment service providers they offer and ask them how they have implemented the necessary changes to comply with the PSD2.

What will change for shop customers?

For your customers, the PSD2 means that in certain cases another precautionary measure can be added to the ordering process in your shop. As this rule applies to every European online store, customers will most likely quickly get used to it.

Note: This article contains initial legal information but makes no claim to completeness and accuracy. Under no circumstances can it replace legal advice in individual cases.

About the author

is Communications Manager at ePages.

Similar posts


No comments available

Share your opinion


Leave a Reply

Your email address will not be published. Required fields are marked *