Online purchases: strong authentication required above 100 euros

Since Thursday April 15, strong authentication has been required for all online payments over 100 euros. From May 15, it will be extended to all payments, regardless of amount. Merchants are concerned about the impact of this new standard on their sales. Find out what's changing and what you need to know when shopping.

A new standard that worries online retailers

The progressive generalization of strong authentication was decided as part of the second Payment Services Directive (PSD2). The timetable has been modified several times, and the mandatory introduction of strong authentication, initially scheduled for September 2019, has been postponed.

The threshold for amounts subject to the strong authentication standard is gradually being lowered. In October 2020, it was 2000 euros, then reduced to 1000 euros in January 2021, to 500 euros on February 15, 2021, and to 250 euros on March 15. Since April 15, it has been set at 100 euros, and should apply to all purchases, from the 1st euro, from May 15.

Online merchants are worried about a possible drop in sales, linked to a greater risk of payment failures. According to figures from Natixis Payments, the rate of successful authentication drops by 10 points with each change of standard.

Widespread use of enhanced authentication requires the entire payment chain to be updated: the buyer, but also his or her bank, the merchant's bank and the payment service provider, which automatically multiplies the risk of authentication failure.

It is for this reason that the Banque de France has opted for a gradual roll-out, with a target of full compliance by mid-June. In addition, merchants can request exemptions from banks for certain customers, and these are widely granted.

What is strong authentication?

For several weeks now, only online payments over 250 euros have been subject to strong authentication.

This system, designed to enhance the security of Internet purchases, makes it possible to check that the person making the payment is indeed the cardholder. It is based on at least 2 of the following 3 elements:

  • Possession of a device by the buyer: smartphone, connected watch, smart card, etc;
  • Possession of information known only to the buyer: a secret code, a password, etc;
  • Biometric data: fingerprint, facial or voice recognition, for example.

In concrete terms, to validate their payment, buyers are usually invited to connect to their bank's mobile application on their smartphone, by entering a code or using biometric data, thus meeting the 2 of the 3 required criteria.

The use of SMS containing a one-time code, sent to the buyer's smartphone, is no longer considered sufficient by European banking authorities to combat fraud.