The validation of an online payment by SMS will soon no longer meet European requirements. In combination with traders, banks take time to adapt.

Shoppers online will have to change their habits. Today, to validate their purchases, they often have to register in a dedicated Internet window a single-use code received by SMS. Tomorrow , this system (called SMS-OTP for “one time password”) will no longer be sufficiently secure with regard to the new European requirements on payment security.

New rules of the game from September 2019

Combined with traders, banks therefore require regulators time to find alternative security systems. “A strategy of gradual migration towards new methods of strong authentication must be put in place”, a recent document highlights a committee of bank and merchant representatives brought together by Cartes Bancaires CB.

In principle, online payment providers still have several months to complete this migration. The new European rules for securing online payments will come into force in September 2019

A risk for online commerce
According to banks and traders, switching now to another anti-fraud tool would weigh on e-commerce, which is currently booming.

This conviction is shared at the European level. In a letter dated at the end of October, several European retailers’ federations are asking the European banking policeman to review its copy on payment security and give the stakeholders three years to deploy alternative anti-fraud schemes.

Biometrics, a solution among others

In the immediate future in France, online payment players want to be able to continue to secure payments thanks to single-use codes sent via SMS. Especially since this device allows “significant gains in terms of the fight against payment fraud on the Internet,” notes a report from the Bank of France.

It remains to be seen which tools will succeed the text to meet the European framework. Biometrics is one of the solutions that banks could deploy. In the future, the customer could for example validate his purchase by scanning his fingerprint on his smartphone. Banks could also choose to communicate to their customers a code dedicated to all their purchases on the internet.