You can grant a payment initiation service provider or an account information service provider access to your bank account. The PSD2 specifies that these providers may use your bank’s verification procedure. Furthermore, the PSD2 stipulates that this procedure must always comprise two factors (strong customer authentication (SCA)); however, the bank/savings bank or payment institution in question is free to specify the exact details.
Usually a combination of at least two of the following elements is requested:
- something you have (e.g. a debit card or a mobile phone),
- something only you know (access code),
- biometric identification (e.g. fingerprint, iris scan).
If you give a payment initiation service provider permission to execute a payment, this is similar to asking your bank/savings bank to carry out a payment order. The procedure for account information service providers is much the same.
In both cases, your bank/savings bank or payment institution first checks whether you are the account holder.
To trigger a payment, an element (TAN) must be linked to the proposed transaction (amount and beneficiary). This TAN can only be used for this particular payment: If the amount or beneficiary changes, the TAN also changes. By entering the TAN, you agree to make the payment.
In combination with other security measures, this ensures that the payment service provider can only carry out transactions with your consent.