view all news & events


Two-factor authentication for online payments

What has already applied to online banking since 2019 and what was initially postponed by BaFin for credit card payments (we already reported here) must also be implemented for credit card and other online retail payments from January 2021: The so-called two-factor authentication (also mentioned as „Strong Customer Authentication” (SCA)).

For consumers, shopping on the Internet has become more complicated since the beginning of 2021. They now have to identify themselves a second time when paying by credit card. This so-called two-factor authentication is intended to make shopping on the Internet more secure by making fraud in online commerce more difficult. At the same time, it should make it possible to open up payment accounts to third parties, such as fintechs.

This type of identification is considered particularly secure. This is because potential attackers would not only have to steal or hack their victim's access data, they would also have to get hold of something physical such as the cell phone or credit card. What's more, the TANs are transaction-based - unlike the banks' TAN lists, which used to exist mostly on paper.

How was the new regulation implemented?

For credit cards:
The new regulation for consumer credit card payments is being implemented in different stages, probably in order to slowly accustom consumers to the innovation and to slowly increase the desired level of protection. For example, since January 15, 2021, payments with a credit card in online commerce require double proof of identity from EUR 250. From February 15, 2021, this regulation will then apply from EUR 150 and from March 15, 2021, even for payments from EUR 30.

According to the Payment Services Directive (PSD2), two-factor authentication requires two additional elements of identification in addition to the credit card number and check digit. Similar to online banking, identification by cell phone, possibly in conjunction with a special app, has become established. In this way, additional identification takes place via a knowledge element (access data) or an ownership element (e.g., fingerprint) as well as a possession element (cell phone).

For other payment options:
The new requirements apply not only to credit card payments, but also to payment methods such as Paypal. Here, two-factor authentication is performed by logging into the Paypal account using a password (knowledge element) and a security code sent by SMS to the cell phone (possession element).


Although these innovations will significantly increase security, payments will become more complicated not only for customers, but also for online merchants and payment service providers. It therefore remains to be seen what acceptance the new requirements will be met with.

Practical Tip

The new regulations primarily affect payment service providers. However, other e-commerce players, such as online stores, should be sure to check with their payment service providers whether the requirements are being met in order to be able to offer legally compliant payment options.


Johannes Schäufele

Johannes Schäufele


visit profile
Tatjana Schroeder

Dr. Tatjana Schroeder

Partner (Of Counsel)

visit profile