The requirements on when to apply strong authentication for EEA-based customers are outlined in the RTS on Strong Authentication (aka “2FA” or “2-Factor Authentication”). It is effective since 2019, but some countries delayed its implementation due to COVID. Anyway, this requirement has arrived in Europe.

Generally speaking, it’s required to apply strong authentication when:

• The user accesses their online account, and/or
• The user initiates a transaction (single or recurring) 

You may be asking yourself – is it really required to fire 2FA all the time when the user is using the same card and the same device and buying the same product from the same merchant? Can I just store their card details and allow for a better experience? 🤔

Sure! Here is when 2FA is not required:

• View only: A user views their recent transactions or balances, but does not initiate transactions;
• For contactless card payments: Single transaction under 50 EUR, or 5 or less contactless transactions under 150 EUR in total;
• For online (not contactless) single transactions under 30 EUR or 5 or less online transactions under EUR 100 in total;
• At parking and transport ticket terminals;
• For corporate customers initiating transactions via dedicated protocols (e.g. API)
• When the user created a list of trusted or “saved” counter-parties or when they transact with the same counter-parties (without actively saving them in a special list)
• When the user transacts with themselves (e.g. moves funds between their various accounts)
• When the financial institution has real-time fraud risk monitoring capabilities and their actual fraud levels are not exceeding specific limits (for example, for card-based transactions within the 250- 500 EUR range, the fraud rate % cannot exceed 0,01% of the total transactional volume).

Do you see now how it starts making sense and can work for you, right? 😊