e-Commerce: Two-factor authentication mandatory as of 14 September 2019

PSD2 has the same scope as the GDPR

The PSD2 (Payment Services Directive 2) comes into force on 14 September 2019. Its scope for online trading will be comparable to that of the General Data Protection Regulation (GDPR). The reason for this is the requirement for secure customer authentication.

What does "strong customer authentication" mean?

Strong Customer Authentication (SCA) means that two separate factors from each of two of three categories are required. These are:

• Something the customer knows (e.g. password, PIN or secret question)
• Something the customer owns (e.g. smartphone, token or badge)
• Something the customer is (e.g. fingerprint, iris scan or face recognition)

What does this mean for Switzerland?

Switzerland does not have to implement PSD2 in principle, as it is not a member of the EU. E-commerce companies selling to the EU, on the other hand, must (as is the case with the GDPR) comply with the relevant EU legislation. 

It can also be assumed that (again, as in the case of the GDPR) Switzerland will voluntarily adapt its laws to those of the EU. This means that even those merchants that do not sell directly to the EU will sooner or later have to deal with two-factor authentication. The good news is that, as a rule, payment service providers (e.g. Paypal or Datatrans) will take care of two-factor authentication. The e-commerce provider, in turn, has to ensure that the payment provider he chooses is one that offers 2FA and that it is integrated as smoothly as possible into his existing payment procedure.

With Ergon's Identity and Access Management Suite (Airlock IAM), aspectra offers a variety of two-factor authentication options.

• Two-factor authentication - in a nutshell

• GDPR - Swiss companies also affected by the new EU Data Protection Regulations

• SCA FAQ: Your essential questions about new PSD2 rules answered (Siliconrepublic)