Latest feature in the area of consumer protection in payments via online stores: requirement for an additional element of user authentication

09/06/2019 / Press release

The latest feature in the area of consumer protection in payments via online stores will take effect on 14 September 2019. The providers of payment services will now have to perform customer authentication using at least two appropriate elements, and thus ensure secure payments via online stores by consumers. Because the majority of Slovenian service providers currently perform authentication using only one such element and the implementation of a new solution can be a complex process, the Bank of Slovenia has followed the example of other competent authorities of EU Member States and opted for a transition period. In setting the length of that transition period, the Bank of Slovenia will take into account the European Banking Authority’s guidelines, which are expected to be known by the end of the year.

New requirements in the area of consumer protection in payments have been governed since February 2018 by the Payment Services, Electronic Money Issuance Services and Payment Systems Act. The Commission delegated regulation that is directly applied in all EU Member States lays down in more detail requirements in this area. The aforementioned regulation now stipulates user authentication using at least two elements, each of which must meet one of the following criteria and/or categories:

(a) user’s knowledge: something only the user knows;
(b) possession by the user: something only the user possesses; and
(c) inherent connection with the user: something the user is.

These criteria must be independent of one another, meaning that a breach of one element will not compromise the reliability of the others, while elements must also ensure the confidentiality of data that are verified.

The authentication of the majority of card payments made in online stores in Slovenia (and the wider EU) is currently performed based on the data printed on payment cards (card number, name an surname of the customer, validity and security code) and a one-time password received via text message by a user on a mobile device.

According to the opinion of the European Banking Authority from June of this year, such a method of authentication does not meet the requirements of the new regulation for two elements, as the data printed on a payment card do not meet any of the above-stated elements of strong customer authentication.

Due to the short period of time to adapt the solutions of payment service providers, the Bank of Slovenia has decided to exceptionally allow payment service providers with a registered office in Slovenia to implement the measures required to ensure strong customer authentication after 14 September, when the regulation in question actually enters into force, under certain conditions. The competent authorities of other EU Member States have also opted for similar flexibility.

The Bank of Slovenia is striving for a coordinated approach and a level playing field for all payment service providers in the EU. It will therefore take into account the European Banking Authority’s guidelines, which are expected to be known by the end of the year, in setting the length of that transition period.