You have probably noticed it in the last few days if you have tried to access your bank through your mobile phone and have encountered a step that you did not need before. These are the effects of the new European payment services regulation whose hieroglyphic name, PSD2 , hides the objectives of improving the security of payments through the internet, strengthening user protection and reducing fraud. It officially entered into force on September 14 and since that day it has been applied without problems from the banks, which apply a double authentication to access their online applications.

However, the changes also affect digital commerce companies and, where appropriate, the situation is not so easy. This was stated yesterday by José Luis Zimmerman , director of the Spanish Association of the Digital Economy ( Adigital ), who said that the application of the new rules will cause a drop of between 20% and 25% in the sales of the sector , "Especially in the first months, until the client gets used to the new operation. Then the impact will be moderated," he explained at the informative breakfast Reinforcing the security of digital payments organized by Visa.

The situation is complex. According to his analysis, the e-commerce sector in Spain needs "a lot of preparation yet", due to the large number of small and medium enterprises. "Large businesses have a higher level of knowledge and preparation," but SMEs will have to make a high effort to remain competitive at European and global level. In his opinion, legislators and supervisors have drawn up "a scenario of guarantee for the consumer that significantly harms small businesses and the European competitiveness scenario."

Aware of the situation, the national and European supervisors agreed to establish a moratorium for the application of the standard in the field of digital commerce and now the actors involved wait with expectation to know the term of the moratorium. Pilar Clavería , advisor of Payments, Operations and Procedures of the Spanish Banking Association, said yesterday during the meeting that they expect the deadline to range between 12 and 18 months. Meanwhile, the authorities will show "supervisory flexibility" until the industry is ready.

In the case of the entities, Clavería assured that the banks are applying reinforced authentication or SCA since September 14, although each one does so in the way it considers most appropriate and less harmful to the user experience. The head of the AEB agreed with Zimmerman that "in e-commerce , being a very complex ecosystem, it was detected that not all parts were aligned to apply the procedures from day one."

The directive once again places consumer protection at the center of its objectives, but how does it affect them? These are some of the key questions about the new directive.

What is the PSD2?

This is the new European regulation of payment services, which updates a previous regulation (PSD) of 2007, in order to launch a single payment market in the European Union. This second version aims to strengthen the security of the use of payment systems through the internet, strengthen user protection against fraud and abuse and improve the user experience in interactions with banks and businesses.

When does it take effect?

He did it officially on September 14 and the banks are applying it since that date. However, companies that have a digital sales service are having delays in adaptation and for them a moratorium has been established whose duration is yet to be defined. The sector estimates consider a period of between 12 and 18 months.

What is the SCA or 'Enhanced Authentication'?

It is one of the keys within the PSD2. It is a system of reinforced authentication ( Strong Customer Authentication ) to verify that the holder of the account or card is the one who makes the payment. For the moment, it affects access to online banking, but in the future - once the moratorium ends - it will also do so for electronic payments.

How to access the online bank from now on?

Until now a user and a password or, instead, some kind of biometric information such as fingerprint or iris recognition were enough.

With the PSD2, payment service providers will have to verify the identity of their customers with at least two security elements among the three possible options, as explained by Andrea Fiorentino, director of Visa Products and Solutions for southern Europe . As a consumer, you must show the provider something you know (for example, a PIN code), something you have (for example, a payment card) or something that you are (for example, through fingerprint or facial recognition) .

Are there any exceptions where no extra authentication proof is requested?

Yes. As explained from Visa, these obligations will not apply to initiated transactions, agreed payments, subscriptions, installment payments or charges for cancellations or delays. In addition to mail orders or telephone payments.

Nor will they be applied in the payments that SCA applies but the consumer does not have to provide extra authentication for the payment.

How does the purchase operation change online or mobile?

From Gaona Abogados give some clues in this regard. "When the time of payment of the chosen product arrives, some websites will no longer refer us to a payment platform where we will enter the data of our card, but we will pay at the same store in which we have selected the product." In addition, "it will be absolutely essential to have a mobile phone to pay online. Before we entered our card information and the code that came to us through SMS or, the coordinate card number. Now the process will be simpler and faster, because now We will not have to enter our card number in each online payment we make, but it will be enough with our identification by DNI or mobile phone and subsequent confirmation through an SMS code, or, accepting a notification received in the App of the bank or through fingerprint or iris recognition. "

The bank will authorize trusted third parties to use the data to execute the payment through the client's bank account, provided that the latter has previously authorized their bank details to be shared.

Is our mobile phone so important?

It becomes a fundamental element. Customers need one to access online banking through a computer or tablet, since they must provide the entity with their contact number in order to operate online.

Do the coordinate cards disappear?

That at least is the objective of the European Banking Authority (EBA), which considers that they do not count as a security element and do not comply with the SCA, that is, they do not allow the identity of the client to be verified.

In the case of online banking operations, the coordinates have been replaced by codes sent by text message or by notifications via the app, as explained by HelpMyCash.

What about the contacless payment?

There are slight changes. Purchases paid by card in physical stores must be validated as before, what changes with the PSD2 are the limits on payments. Purchases for less than 20 euros can be paid without entering the pin code, as long as no more than five operations have been carried out without validation or no more than 150 euros have been accumulated in consecutive purchases without a pin. Once these limits are exceeded, the code must be entered in the next purchase.


The new directive provides greater protection for consumers in case of fraud. If they suffer an unauthorized payment, their liability is limited to 50 euros, compared to the 150 established so far. From that amount, the provider will have to take care of the amount defrauded.

According to the criteria of The Trust Project

Know more

  • savings and consumption

Savings The best short-term deposits to avoid tying with the bank

P&R Draghi's farewell: threat to the saver and oxygen for the mortgaged

Courts Santander must compensate for the purchase of shares of the Popular