The EU’s payment service directive sets new security standards. But what does this mean for Holvi users?


EU directive brings more security to payment services

When it comes to your money, you want to be sure that the services you use are safe and reliable. As money is moved around primarily in digital format, we see new threats emerging that require new protective measures. These concerns are now being directly addressed by the EU.

The first payment service directive (PSD) was put into place in 2007, with PSD2 following shortly thereafter in early 2018. One part of the new directive that came into force in 2019 is the secure customer authentication requirement.

Payment service providers are now required to add an extra layer of security in customer authentication when a customer, for example, logs into their account or verifies an outgoing payment. The digital environment is constantly evolving, and legislation is in a rush to stay on schedule.

“The first payment service directive came into force in 2007, and in more than 10 years it has become outdated. The new directive updates the old regulation: it covers new payment services and aims to keep the regulation up to date with the market development”, Jenna Tirkkonen, Holvi’s Legal Counsel, explains.


284A1847Jenna Tirkkonen, Holvi’s Legal Counsel.


What is “strong customer authentication”? 

PSD2 stipulates that payment service providers (such as Holvi) authenticate their customers strongly, and a username and password alone will no longer qualify.

“Customers have to be authenticated strongly according to PSD2 when they access their account online, initiate an electronic payment or take other actions that include the risk of misuse or fraud. For example, card payments both in-store and online are viewed as such electronic payments”, Jenna explains.

Why is it not enough to authenticate customers strongly only when they open their account for the first time?

“When a customer opens an account for the very first time, the payment institution has to ask information about the customer and store it based on anti-money laundering regulation. But when strong customer authentication is applied, the idea is to make sure that the payment initiator is the rightful owner of the account or the card. This protects the customer from potential misuse”, Jenna clarifies.

The directive sets certain criteria for strong customer authentication. It must cover at least two of the following:

  • Knowledge (something that only the user knows, e.g. a password), 
  • Possession (something that only the user possesses, e.g. a mobile phone), and 
  • Inherence (something that the user is, e.g. a fingerprint). 

In practice, payment service providers have to make sure that their customers use other means of authentication other than just a password. This is called two-factor authentication. If, for example, a customer’s password was hacked, the user can rest assured that the hacker cannot access their account.


From October, use the Holvi app for authentication 

At Holvi, we have addressed the issue of strong customer authentication with our mobile app; having the app meets the criteria of possession.

You’ll still log in with your existing username (email) and password but from October, each login and outgoing payment will need to be confirmed with either a PIN code chosen by the customer (meeting the knowledge criteria), touch ID or facial recognition (meeting the inherence criteria). The methods available to you depend on the features and functionality of your smartphone. This two step login process is also known as 2-factor authentication and adds an additional security layer, protecting your Holvi account.

If you are not able to install the app because of your phones’ operating system or your geographical location, you can also use Google’s Authenticator app for 2-factor authentication. You can read more about strong customer authentication at Holvi here.


Extra security for Holvi’s online store users

As strong customer authentication will be required when making a payment, the initiative also affects business owners selling via Holvi’s online store. But don’t worry – we’ve made sure that your online store is compliant and up to regulation. No action is required on your part!

When your customers buy from you online store, their credit card provider will ask for strong authentication, which Holvi online store enables. Good news for you: your online store meets the requirements of PSD2 and you can keep selling as usual!


Smarter business banking with the Holvi app

We will release the new mobile authentication gradually and inform our customers of the exact dates via email. In the meantime, we strongly recommend installing and setting up the Holvi mobile app right away.

Get more done with the Holvi mobile app:

  • Keep track of your money and view end-of-month balance estimation.
  • Save receipts digitally for your bookkeeping.
  • Make payments. 
  • Create, send and track invoices.
  • Manage your card settings, block if needed and check your PIN code.

Download the app now!

Download_on_the_App_Store_Badge_US-UK_135x40-5    playstore-en-fi