PSD2: stronger authentication

Greater security in your online purchases with a card

Stronger authentication further increases the protection of online card payments, as it confirms the person's identity in 2 steps: firstly, by accessing the website or app using a password or biometrics, and secondly, by entering a code sent to your cell phone.

What is Strong Authentication Tool (PSD2)?

The PSD2 Directive (Payment Services Directive), or European Directive on Digital Payment Services, aims to increase the security of digital transactions whose payment method is the card.

Strong authentication (Strong Customer Authentication - SCA) is part of this European regulation and it consists of increasing the security of a transaction by confirming that the person making an online payment is indeed the owner of the card being used. 

To do this, 2 factors belonging to one of these categories must be used:

  • Something that only the person knows, for example, their password to access their bank's website or app.
  • Something that only the person has, for example, a numerical code received through an email, an SMS message or a notification on their cell phone.
  • Something that only the person is, for example, their biometric patterns (fingerprint, facial features or iris). 

Where and when is it used?

The PSD2 Directive only applies to card purchases in online stores within the European Economic Area. Therefore, purchases made in countries such as the United States, China, Mexico, etc. they will not require strong authentication to be confirmed.

When including a card as a means of payment in subscription services such as Netflix, Spotify, Amazon Prime, etc., strong authentication will also be requested, even if no payment is made at that time (the transaction amount will be €0).

How does it work for BBVA's digital customers?

If you are a BBVA customer and you have already registered for digital channels, you will have 7 minutes to carry out the authorization process:

  • When you start paying for a purchase by card in an e-commerce store, you must enter the card details (full name of the account holder, card number, expiry date and CVV). 
  • Next, a screen will appear with a message indicating that you must access the BBVA website or app to confirm the payment.
  • If you have notifications enabled on your cell phone, you will receive a message to authorize the purchase. Clicking on it will open the BBVA app directly. 
  • To access bbva.es or the BBVA app, you must authenticate yourself using your password or the biometric option (fingerprint, facial or iris recognition). This will be the first authentication factor. 
  • Next, a screen will be displayed with the details of the online purchase that you must accept. If you are making several purchases in different stores, you must accept them one by one. 
  • When you accept the purchase, you will receive an SMS message on your cell phone with a one-time code that is valid for a short period of time (approximately 2 minutes) that you must enter on the bank's website or app screen. This will be the second authentication factor that confirms that it is you who is really authorizing the payment. 
  • When validating the code, the purchase will be completed and you just need to go back to the e-commerce screen to review the transaction details.

How does it work for BBVA's non-digital customers?

If you are a BBVA customer, but have not yet registered for digital channels, the authorization process will be as follows: 

  • When you start paying for a purchase by card in an e-commerce store, you must enter the card details (full name of the account holder, card number, expiry date and CVV). 
  • Next, you will receive an SMS message on your cell phone with instructions for carrying out a mathematical operation using 2 positions of the card's pin. 
  • To validate the payment of the purchase, you must enter the result of the mathematical operation on the store's screen.

Ciberseguridad

See more news