The PSD2 payment services regulations require payment service providers, such as CaixaBank, to apply procedures that allow you to verify your identity or the validity of the payment instrument you are using (e.g. of a card). This procedure is called AUTHENTICATION.
This authentication can be simple or strengthened. It must be strengthened when:
- you access your online payment account (for example, when you enter CaixaBankNow);
- you initiate an electronic payment or transfer operation (e. g. when you make a transfer for the payment of a gift to a friend). From 2021, strong authentication will also apply to purchases you make online.
- you carry out any action through a remote channel that may involve a risk of payment fraud or other abuses (e.g. subscribing to a service over the internet, such as an online TV series portal).
This strengthened authentication must be based on the use of two or more independent elements, so that any breach of one does not compromise the reliability of the others, and in such a way that protects the confidentiality of your data. There are three different types of these elements:
Knowledge ("something that only the user knows”)
e.g. a static secret code, PIN
Possession ("something that only the user has")
e.g. a token, a cell phone
Inheritance ("something that the user is")
e.g. a fingerprint, iris scan, biometric data
- Knowledge elements (something you only know: A password, PIN, knowledge based on questions, etc.)
- Possession items (something only you own: it must be something that confirms possession by generating or receiving a dynamic validation element on a device, such as generating an OTP, a token or a push notification.
- Inherited elements (something you are: fingerprint scanner, voice recognition, retina scanner, etc.)
In the case of starting electronic payment transactions (e.g. paying by card via e-commerce or issuing a transfer through CaixaBankNow), one of the three previously described authentication elements must also be dynamic: a code will be generated for each amount and payee which cannot be used for a transaction in which these do not match. It will also have a limited time of validity.