Question 1

Will/must all banks have to stop providing SMS-only-based authorisation (both in Internetbanking and for card payments in the internet)?

Accepted Answer

Yes, the requirements under the Regulation (PSD2/RTS) apply to all institutions in the EU. SMS only based authorisation does not meet the 2-factor authentication criteria.

Question 2

What changes does this entail for card payments in the internet?

Accepted Answer

Starting in September, card payments in the internet will have to comply with the 3 Secure standard. That being so, the card data must be provided in a secure environment as well. Sparkassen Group customers authorise their card payments using s Identity or CardTAN.  Here is how it's done using s Kreditkarte and the new BankCard as of September 2019.

Question 3

How do I make online payments using the card?

Accepted Answer

As before, you will need to enter the following card data: the 16-digit card number, the expiration date and the 3-digit check number – both for the debit card 'BankCard' and for the s Kreditkarte. Then s Identity (or cardTAN) needs to be used to authorise the payment.  Here is how it's done using s Kreditkarte and the new BankCard as of September 2019.

Question 4

Does this mean that the authorisation method previously used for card payments is unsecure?

Accepted Answer

As of 14 September 2019, the authorisation method using SMS codes will no longer meet the newest regulatory security standards. SMS messages may be redirected by infiltrated malware, for example.  s Identity (and cardTAN) meets all the currently applicable security standards and obviously also the new, strict EU requirements for Internetbanking.

Question 5

What are the regulatory requirements that have to be met when making Internetbanking/ online payments?

Accepted Answer

Two s Identity components ensure true 2-factor authentication in accordance with the requirements of the PSD2 (Payment Services Directive 2), RTSs (Regulatory Technical Standards) and SCA (strong customer authentication).  These 2 components are:  The 1st factor is possession: e.g. pairing up of s Identity with a device (smartphone or PC/MAC) and the user number   The 2nd factor is knowledge: Secure access with a user-definable PIN code SMS-only-based authorisation does not meet these requirements! SMS relies solely on the 'knowledge' factor (just as the password). SMS messages can be redirected by Trojan malware, for example, or disclosed on the telephone. On the phone, scammers will usually pass themselves off as a bank employee and ask the customer to tell them what the SMS says that they have just received.

Question 6

As of when will the changes be applicable?

Accepted Answer

The changes will be applicable as of 14 September 2019, when the PSD2/RTS enters into force and 'strong 2-factor authentication' (SCA= strong customer authentication) will be required. Some shop operators may ensure compliance with the new requirements for the authorisation of card payments in the internet starting from September.

Question 7

Will authorisation be needed for every card payment in the internet?

Accepted Answer

No, not every online payment needs to be authorised by the customer (using s Identity or cardTAN). Authorisation is only necessary if required by the merchant.

Secure online payments

with s Kreditkarte and the debit card 'Bank Card'

Here is how to make online payments using your card.

If you use Internetbanking

Information for customers without Internetbanking

s Identity

Login and authorisation for George and apps

Information & FAQs

Services