Strong customer authentication – about the new rules on electronic payments

Written by Johan Ragnar, lawyer at Synch and John Lundberg, thesis intern

Strong customer authentication (SCA) means that a customer must verify his/her identity with two from each other independent factors when using electronic payment methods, for example when using a credit card. The rules, which are based on EU legislation, aims to increase the security of electronic payments and combat fraud. Generally speaking, the legislation does not introduce anything completely unheard of in Sweden. There are already several different two-factor authentication techniques in use, but this has now become a legal requirement.

As an outset, the rules apply for all kinds of electronic payments. However, there are some exceptions provided for by law. An example is contactless payments made at the point of sale for amounts under a certain threshold, or payment for parking fees at unattended parking meters. It is the payment service which decides which exceptions they will offer for its customers to enjoy as a part of its service.

The new rules have already started to apply – but for the implementation in e-commerce the deadline has been extended until December 31st, 2020.

Providers of payment services are the ones responsible for the compliance with SCA rules. The SCA procedure must consist of a unique code created for every transaction. This code shall be generated when two out of three factors in the categories i) knowledge, ii) possession or iii) inherence have been provided by the payment initiator. “Knowledge” means information that only the customer knows, such as a password. “Possession” relates to something the user has, for example a payment card. The category “inherence” is something the customer is, like a fingerprint or other biometric figures. A combination of factors that is already widely spread is a credit card and a PIN-code. The card is something the payer has and the code something they know. However, when paying online, often only the card details are required which means only one factor is provided. With the new laws in place, this will change. It will probably not come as a big shock for online shopping Swedes, who are already accustomed to use Mobilt BankID.

The legislation also contains rules in order to make the SCA systems secure. For example, it should not be possible to manipulate the authentication code or for a third party to hijack the transaction. The security measures shall ensure the secrecy, authenticity and integrity of the payment. The payment service providers must also create a monitoring mechanism in order to find any unauthorised transactions, both as a whole and single transactions. The security measures should be regularly evaluated and improved in order to uphold a high level of security.

For e-commerce, a review of payment procedures will be required even if it is the payment service providers who carry the main responsibility for compliance with the SCA rules. First, e-retailers must choose the SCA method that fits their business the best and secondly, they must technically adjust their platforms to the chosen method.

When it comes to choosing an SCA method, an e-retailer should look at what creates the leanest order process for its customers. The new rules create an extra step that the customer must take before an order is placed. A smooth payment method is an important component in the process of increasing sales. Many Swedes are today accustomed to use different types of SCA, such as Mobilt BankID, but e-commerce businesses must reflect upon possible improvements in their order procedure. An exception from SCA that can be of special interest for e-retailers is the possibility for the customers to create a so called “white list”. By adding names of payment receivers on this list, transactions will not have to go through the SCA procedure.

When it comes to adjusting the e-commerce platforms, it all depends on its technical standards and what requirements the chosen payment service provider have.

Even if the complete implementation of SCA procedures within e-commerce does not have to be finished before December 2020, the payment service providers that yet must implement measures to comply with the new rules must submit a plan to the Swedish Financial Supervisory Authority on how this will be achieved. The deadline for the submission is December 31st, 2019. The plan should also include which exceptions from SCA the e-retailer plan to provide.

Nyheter
Pressmeddelanden

SYNCH HAR AGERAT LEGAL RÅDGIVARE TILL KEBNI AB (PUBL) I SAMBAND MED BOLAGETS BYTE AV NAMN OCH VARUMÄRKE FRÅN ASTG

15/09/2020

Synch har agerat legal rådgivare till KebNi AB (publ) i samband med bolagets byte av namn och varumärke från ASTG (Advanced Stabilized Technologies Group) till KebNi. Arbetet har inkluderat framtagande av varumärkesstrategi samt ändring av bolagsnamn. Synch har därutöver haft ett nära samarbete med namnbyrån Eqvarium AB. KebNi AB är verksamt inom satellitkommunikation och precisionströmsensorer och investerar i och […]

Pressmeddelanden

Synch har agerat legal rådgivare till Open Payments Europe AB i samband med bolagets nyligen genomförda finansiering

04/09/2020

Synch har agerat legal rådgivare till Open Payments Europe AB i samband med bolagets nyligen genomförda finansiering, med Industrifonden som huvudinvesterare, om 30 miljoner kronor. Även befintliga investerare, bland annat Brightly Ventures, Luminar Ventures och en rad ängelinvesterare, har deltagit i investeringen. Open Payments, som är ett fintech-bolag licensierade av Finansinspektionen, har byggt en öppen […]

Okategoriserad Pressmeddelanden

Synch assisterar KebNi vid listbyte till Nasdaq First North Growth Market

02/09/2020

Synch Advokat AB har biträtt KebNi AB (publ) (”KebNi” eller ”Bolaget”) vid dess listbyte från NGM  till First North. KebNi har erhållit godkännande för upptagande till handel på Nasdaq First North Growth Market med första dag för handel den 25 augusti 2020. KebNis aktie har innan listbytet handlats på NGM. KebNi AB är verksamt inom […]

Okategoriserad Pressmeddelanden

Synch är ny juridisk partner till Breed Ventures

27/08/2020

Vi har glädjen att meddela att Synch är ny juridisk partner till Breed Ventures, i dess strävan att alstra morgondagens entreprenörer och ledare. Breed Ventures grundades för att hjälpa ledande befattningshavare och startup-grundare med de utmaningar som de möter vid utvecklingen av nya verksamheter och främjandet av innovation. Breed Ventures är en supportorganisation som hjälper […]

News

SCHREMS II – AT A GLANCE

17/08/2020

Introduction and summary As you may have already seen, everybody seems to be talking about the “Schrems II” judgement – but what does the decision mean and what is the discussion about? In short, the judgement has the following effects for organisations transferring personal data to countries outside of the EU/EEA: · The EU – […]

Okategoriserad Pressmeddelanden

Synch har assisterat Cortus Energy AB

26/06/2020

Synch har assisterat Cortus Energy AB (publ), noterat på First North Growth Market, vid genomförandet av en företrädesemission av konvertibler om ca 69,3 MSEK  till existerande aktieägare i bolaget. Emissionen har föranlett upprättandet och ingivande av ett prospekt hos Finansinspektionen och teckningstiden för deltagande i emissionen löper till och med den 22 juni 2020. Mangold […]