Consumer protection in online shopping: Transitional period until the end of the year for the requirement to add an additional element of user authentication

The latest feature in consumer protection in payments via online stores took effect in mid-September 2019. Providers of payment services now have to perform user authentication using at least two suitable elements, thereby ensuring that the consumer is able to make secure online shopping payments. As most Slovenian providers of payment services currently perform authentication using only one such element (one-time password received via text message), implementation of the new solution could be a complex process. The Bank of Slovenia has therefore followed the example of other competent authorities in EU Member States and opted for a transition period. This will last until the end of next year.

As we have already reported, the new requirements in the area of consumer protection in online payments have been governed since February last year by the Payment Services, Electronic Money Issuance Services and Payment Systems Act. The Commission Regulation (EU), which is directly applied in all EU Member States, lays down the requirements in more detail.

This regulation now stipulates user authentication using at least two elements, each of which must satisfy one of the following criteria and/or categories:

a) user’s knowledge: something only the user knows;

b) possession by the user: something only the user possesses;

c) inherent connection with the user: something the user is.

These criteria must be independent of one another, meaning that a breach of one element will not compromise the reliability of the others, while security elements must also ensure the confidentiality of the data that is being verified.

“At the Bank of Slovenia, we are aware that providers of payment services need sufficient time to adjust to the new requirements. We are also working to ensure that conditions of competition are identical to those that other service providers in the EU have. We have therefore decided to offer service providers established in Slovenia a transition period in which to take the necessary steps to provide customers with a strong authentication system. The transition period will last until 31 December 2020,”  explained the bank.

This follows the opinion issued by the European Banking Authority in mid-October, which gave that date as the final deadline by which providers of payment services had to put in place a strong user authentication system for online card payments that complied with the requirements of the RTS.