Secure online payments
with s Kreditkarte and the debit card 'Bank Card'
On 14 September 2019, new requirements from the 2nd EU Payment Service Directive' will be entering into force. From this day on, online merchants in the EU will be required to use the standard for secure online payments (3D Secure).
Previously, buyers were required to confirm online card payments and the card data entered during the purchase using a 6-digit code by SMS. This previous authorisation method using a code sent by SMS will now be replaced.
*The 'Payment Service Directive (EU) 2015/2366' (PSD2) entered into force on 13 January 2018 and was implemented in Austrian law as per 1 June 2018 (Zahlungsdienstegesetz 2018 [ZaDiG 2018]). As one of the last EBA Guidelines, the Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 (RTSs) must be implemented as of 14 September 2019.
Here is how to make online payments using your card.
What does it mean for cardholders in practical terms?
The change does not affect you if you have not used your card to make online payments before.
If you have been using your s Kreditkarte or your new debit card 'BankCard' (hereinafter referred to merely as 'BankCard') to make online payments or intend to do so in the future, then please observe the point that applies to you in the overview below:
If you use Internetbanking
In future, instead of receiving an SMS with a 6-digit code, you will receive a push message to authorise the transfer using s Identity. Alternatively, you can actively log into s Identity and authorise the payment in s Identity directly.
Use your cardTAN generator in future and sign your card payments online using a cardTAN instead of the previous 6-digit code.
Switch to the new s Identity authorisation method now and sign your online card payment using s Identity - it's easy and secure. Download the s Identity app now and activate it in George.
You will find details on how to switch from TAC-SMS to s Identity here.
If you have been using Telebanking with cardTAN, then you will need to confirm online card payments using the cardTAN generator in future instead of with the previously applicable 6-digit code.
If you have been using a password and TAC-SMS for Telebanking, you do not need to do anything for now. We will notify you in good time about any steps that need to be taken.
Information for customers without Internetbanking
- Order your George access online right away, and your access credentials will be sent to your home address by post.
- You can also request access credentials for George at any branch of your bank.
In future, you will need Internetbanking George to be able to make online payments using your s Kreditkarte or your new BankCard.
s Identity
Login and authorisation for George and apps
- Install app on your smartphone
- Activate with code
- George may still be used on all devices
Information & FAQs
- The 1st factor is possession:
e.g. pairing up of s Identity with a device (smartphone or PC/MAC) and the user number
- The 2nd factor is knowledge:
Secure access with a user-definable PIN code
Yes, the requirements under the Regulation (PSD2/RTS) apply to all institutions in the EU. SMS only based authorisation does not meet the 2-factor authentication criteria.
Starting in September, card payments in the internet will have to comply with the 3 Secure standard. That being so, the card data must be provided in a secure environment as well. Sparkassen Group customers authorise their card payments using s Identity or CardTAN.
Here is how it's done using s Kreditkarte and the new BankCard as of September 2019.
As before, you will need to enter the following card data: the 16-digit card number, the expiration date and the 3-digit check number – both for the debit card 'BankCard' and for the s Kreditkarte.
Then s Identity (or cardTAN) needs to be used to authorise the payment.
Here is how it's done using s Kreditkarte and the new BankCard as of September 2019.
As of 14 September 2019, the authorisation method using SMS codes will no longer meet the newest regulatory security standards. SMS messages may be redirected by infiltrated malware, for example.
s Identity (and cardTAN) meets all the currently applicable security standards and obviously also the new, strict EU requirements for Internetbanking.
Two s Identity components ensure true 2-factor authentication in accordance with the requirements of the PSD2 (Payment Services Directive 2), RTSs (Regulatory Technical Standards) and SCA (strong customer authentication).
These 2 components are:
SMS-only-based authorisation does not meet these requirements! SMS relies solely on the 'knowledge' factor (just as the password). SMS messages can be redirected by Trojan malware, for example, or disclosed on the telephone. On the phone, scammers will usually pass themselves off as a bank employee and ask the customer to tell them what the SMS says that they have just received.
The changes will be applicable as of 14 September 2019, when the PSD2/RTS enters into force and 'strong 2-factor authentication' (SCA= strong customer authentication) will be required. Some shop operators may ensure compliance with the new requirements for the authorisation of card payments in the internet starting from September.
No, not every online payment needs to be authorised by the customer (using s Identity or cardTAN). Authorisation is only necessary if required by the merchant.