Press Release

Information for consumers regarding the strong customer authentication rule for e-commerce payment cards transactions

As of January 2021, the "strong customer authentication" was launched at a pan-European and national level, in accordance with Directive (EU) 2015/2366 "on payment services in the internal market" (PSD 2) and Law 4537/2018 (Government Gazette A' 84). This is a necessary procedure when a consumer carries out payment transactions by card in an e-commerce environment.

The requirements for strong customer authentication constitute an obligation for all payment service providers (e.g. banks, payment institutions, electronic money institutions, etc.), and were set in order to achieve maximum security of customers during transactions effected with the use of payment cards (debit, credit and prepaid).

Therefore, HBA member-banks, following the rules of applicable law, do not accept and reject transactions that do not meet the new security requirements. Non-acceptable transactions are mainly due to the lack of adaptation of the e-merchants and/or the non-timely adoption by payment cards’ holders of instructions released by their bank of cooperation.

What is strong customer authentication?

Strong customer authentication is a new set of rules that change the way consumers identify themselves, when shopping in an e-commerce environment, in order to be further protected from fraud. More specifically, “strong customer authentication” refers to the process of authenticating the payment card holder by using two (2) or more elements relating to:

  • knowledge (something only the user knows), such as a secret code or the answer to a question that can be memorized;
  • possession (something only the user owns), such as possession of an SMS OTP received or his mobile phone, and
  • a unique physical (native) feature, such as his fingerprint

Said elements are required, on one hand, to be independent, in the sense that the breach of one does not jeopardize the reliability of the others, and, on the other hand, to be designed in such a way as to protect the confidentiality of the identification data.

For example, the issuer (e.g. bank) of a payment card can use one of several ways to verify the execution of a payment transaction, such as a One Time Password (OTP) via SMS/Viber text message in conjunction with code/codes that only the customer knows (e.g. web banking codes), a special mobile application (for mobile phone, tablet), the use of biometrics (e.g. fingerprint) of the customer in the bank's mobile banking, etc.

HBA member-banks have made all the necessary amendments in order to allow their customers to be identified in a manner consistent with the new requirements of European and Greek legislation. For more information you may contact your bank of cooperation or refer to the useful information posted on banks’ websites, respective addresses of which are reflected in the following table.