The European PSD2 Payment Directive improves security through two-factor authentication and prevents unauthorised use

All the authentication procedures used by Bank Austria, CardTAN, MobileTAN SMS and MobileTAN Push already meet the two-factor requirements. What is new in PSD2 is that a second factor also has to be used upon login.

Aim of PSD2

To make EU money transfers more secure, and open up the market for new payment services - it should strengthen consumer protection, promote competition and guarantee neutrality in terms of technology and business models.


Questions and Answers

What does PSD2 (Payment Services Directive) change?
  • More security for online banking: With two-factor authentication, you are prompted more often than before to enter a TAN and this makes you less open to fraud.
  • Open Banking - “Access to Account”:  With your explicit consent, given through your bank, you can allow third-party service providers technical access to your payment accounts, meaning that you can also use services from third-party service providers that require account information or include payment orders.
What is two factor authentication?

Two-factor authentication authentication means combining two different and unrelated factors from the following categories: 

  • "Something you know" (something that only the user knows, e.g. a PIN), 
  • "Something you have" (something that only has the user, e.g. TAN), 
  • "Something you are" (something that is the user, e.g. biometric data such as a fingerprint), 

that are used to authenticate a user electronically.

When is two-factor authentication applied?

Two-factor authentication must be completed whenever you

  • access your payment account online
  • initiate an electronic payment transaction
  • perform any action which might be open to abuse via remote access.
How does Open Banking work?

Banks have to provide third-party service providers technical access to the payment accounts of their customers. Third-party service providers mean other banks or FinTechs or miscellaneous payment providers, who must all be registered with a European supervisory authority. Important: This access is only granted if the customer expressly informs the bank of their consent and/or this permission is requested afresh each time. As a customer, you have full control and can withdraw your approval for online banking at any time.

Details of third parties: 

  • Banks have to provide officially registered third-party providers, such as FinTechs or other banks, access through a secure interface to their customers’ account information, plus the ability to trigger payments via third-party providers.
  • Account Information Service Providers (AISPs) receive account information such as account balance and turnover after your electronic approval through your bank.
  • Payment Initiation Service Providers (PISPs) can trigger payment orders after your electronic authorisation through your bank. This means that they are sent to the bank for execution.
  • Payment Instrument Issuer Service Providers (PIISs) may request the availability of a cash amount after electronic approval through your bank.

This might also be of interest to you