Strong Customer Authentication - FAQs
Q1: During the last months I have noticed changes in the approval process of my transactions, when I use my payment card for purchases from e-commerce companies in Greece and abroad. Why is this happening?
As of January 2021, the "Strong Customer Authentication" process was launched at a pan-European and national level. This is a mandatory process in order to protect the consumer when he/she carries out a card-based payment transaction with an e-commerce company in Greece or within the Single Economic Area (i.e. an trader-commerce company operating in a Member-State of the European Union, Norway, Iceland and Liechtenstein). As of 1st January 2021, the Single Economic Area does not include the United Kingdom, whose e-commerce companies are treated as third-country ones (such as, but not limited to, e-commerce companies in the USA, Australia, China, etc.)
Q2: What is the Strong Customer Authentication?
Strong Customer Authentication is a new set of rules that change the way consumers authenticate themselves, when shopping in an e-commerce environment, in order to be further protected from fraud. More specifically, “Strong Customer Authentication” refers to the process of authenticating the payment card holder by using two (2) or more elements relating to:
- knowledge and information (something only the user knows), such as a secret passcode or the answer to a question that can be memorized;
- possession (something only the user possesses), such as a SMS One Time Password (OTP) received or his mobile phone, and
- inherence (something the user is), such as his/her fingerprint
Said elements are required, on one hand, to be independent, in the sense that the breach of one does not compromise the reliability of the others, and, on the other hand, to be designed in such a way as to protect the confidentiality of the authentication data.
For example, the issuer (e.g. bank) of a payment card can use one of several ways to verify the execution of a payment transaction, such as an OTP via SMS/Viber text message in conjunction with passcode/codes that only the customer knows (e.g. web banking passcodes), a special mobile application (for mobile phone, tablet), the use of biometrics (e.g. fingerprint) of the customer in the bank's mobile banking, etc.
Q3: Is this the reason that some of my transactions are being rejected?
Yes, that is the most likely reason to reject your transaction, but not the only one. For example, another reason for rejection may be the lack of sufficient payment account balance to carry out the transaction. Transactions are rejected by the card issuer (i.e. the bank) either (a) due to a lack of adaptation of the e-commerce company and/or (b) due to the non-adoption of the instructions given to the client user.
Q4: Is there a specific amount limit beyond which my strong authentication applies?
Strong Customer Authentication applies to each card transaction in an e-commerce environment which exceeds the amount of 30 euros.
Transactions of less than 30 euros may be carried out without the process of Strong Customer Authentication with a cumulative limit of 100 euros or five (5) consecutive transactions of less than 30 euros, regardless of whether such cumulative or consecutive transactions take place in a single day or during more days.
Example 1: Book purchase transaction, from an online bookstore, amounting to 45 euros: Strong Customer Authentication of the cardholder is required.
Example 2: Electronic transactions with a food store, amounting to 25, 28, 29 and 19 euros: Strong Customer Authentication of the cardholder is not required for the first three transactions (of 25, 28 and 29 euros). The 4th transaction (of 19 euros) is feasible only with Strong Customer Authentication.
Example 3: Consecutive transactions for coffee purchase amounting to 3, 5, 4, 3, 2 and 4 euros: Strong Customer Authentication of the cardholder is not required for the first five transactions (of 3, 5, 4, 3, and 2 euros). The 6th transaction (of 4 euros) may be carried out only with Strong Customer Authentication.
Q5: I do not wish to change anything in relation to what I was doing up to now for approving an e-commerce card-based payment transaction. Who imposes these new rules and why?
The implementation of the new rules for Strong Customer Authentication is legally mandatory for issuers of debit, credit and prepaid cards operating in the European Union. These rules have been approved by the governments of the European Union Member-States and the European Parliament while they have been specialized by the European Commission. The main aim of this legislation is to further reduce fraud in an e-commerce environment and, consequently, to strengthen the confidence of the European consumer.
Q6: Is it possible to learn more information quickly and easily from the bank who issued my card?
Certainly. Critical information for consumers is available on banks’ websites:
