As from 1 January 2021, e-commerce transactions with payment cards may be disrupted if the customer’s chosen merchant (for example, internet shop) does not use adequate security technological solutions – strong customer authentication. In such cases, payment service providers who are card issuers shall reject such payments to protect customers’ legitimate interests, even though such payments have been processed in the past.
The application of strong customer authentication for card payments is a requirement of the European Union (EU) and related regulatory technical standards of the Second Payment Services Directive (PSD2). In order to meet these requirements, payment service providers, including card issuers, and merchants from the EU (including EEA), should introduce solutions that improve payments security and ensure a higher level of customer protection.
From January 1, 2021 onwards, strong customer authentication, delivered by the means of Smart-ID, biometric or code calculator, will be mostly required for larger payments. Strong customer authentication will also be required according to certain security algorithms for lower-value payments, such as every five consecutive payments or if the total value of payments has reached €100.
Until now, strong customer authentication for e-commerce payments in the EU, was not required for each transaction because it was determined by service providers according to the risk analysis. The strong customer authentication approach will provide payment card holders and merchants with additional security, since the information printed on the payment card can be copied and used for fraudulent activities, including illegal transactions without the cardholder’s knowledge or consent.
In Latvia, the application of strong customer authentication in e-commerce has been ongoing for several years and customers have experience to use it, for example, when approving the purchase via Internet bank or mobile application. However, a number of merchants in other EU countries, where Latvian customers tend to shop, have still not implemented these solutions contrary to the law. In such cases, payment service providers – card issuers – shall refuse such uncompliant payments.
If customers use a payment card for requiring payments, the addition of the card will be subject to strong customer authentication at the first time of interaction and will not be mandatory for subsequent transactions.
We call on customers to address their payment service provider or card issuer for further clarification.