Mr. Hönisch, what exactly does PSD2, the new EU payment services directive, involve?
Matthias Hönisch: The new payment services directive sets out clear rules on Euro-pean payments processing, particularly for banks and service providers, and lays down Europe-wide standards for online payments. It increases security and provides better protection for consumers. Thanks to the new directive, customers will be even better protected against fraud and abuse.
Can you explain what precisely will change on 14 September?
Hönisch: One of the changes is that access to a customer’s bank account is regulated across Europe, including for other services from third-party providers. Clear rules have been put in place. An account can be accessed only if the customer has given express prior consent. The third-party providers are now regulated by the national banking su-pervisory authority; in Germany, this is the Bundesanstalt für Finanzdienstleistung-saufsicht (BaFin) [German Federal Financial Supervisory Authority]. This means that customers have the option of permitting third-party providers to access certain details relating to their account. And it is the customer’s bank that decides whether the PIN and one-time passcode (OTP) can be entered on the bank’s website, on the third-party pro-vider’s website or, for example, in the banking app.
What will this mean in practice?
Hönisch: When buying goods, the buyer orders a third-party provider to transfer the money from their bank account. Next, this third-party provider then confirms to the merchant that the transfer has been made. The merchant can then dispatch the goods straight away. What is important is that the bank will not make the payment unless it has expressed consent from the customer. And without this consent, no third-party provider can access the account details either. Customers can manage the access rights using the online banking service of their local cooperative bank.
What are the new security standards for online payments?
Hönisch: There are new provisions on strong customer authentication. In other words, the bank has to know that the customer really is the customer and that the customer does actually want to transfer money. In future, you will have to use two independent sources of validation, known as two-factor authentication, when using online banking to transfer money or when shopping online with your credit card.
What do I need for this?
Hönisch: You will need to use not only your bank login details as before but also a fur-ther means of authentication as the second factor. This can be an automatically gener-ated OTP or, for example, your biometric fingerprint. In the future, fingerprints are likely to be used more and more frequently for logging in, such as to the VR banking app, in-stead of an online PIN. This will make online banking even more convenient.
How will I still be able to easily shop online with my credit card in the future?
Hönisch: To be able to continue conveniently shopping online with your credit card while at home or out and about, you will have to use Mastercard Identity Check or Visa Secure. In this process, which is designed to make credit card payments in e-commerce even more secure, you will receive a notification on your mobile phone con-taining the transaction data from the VR-SecureCARD app or you will receive a text message containing the OTP. Although discussions are currently being held about the effective date of PSD2, these discussions relate only to the use of credit cards on the internet. And these changes will also come into force in the near future.