The PSD2 stipulates that, as of 14 September 2019, payment service providers must use strong customer authentication for online credit transfers, amongst other things. The iTAN procedure no longer fulfils these prerequisites and thus may no longer be used as of this date. Further information about the changes as of 14 September 2019 and the revocation of the iTAN procedure can be found in an article published by BaFin, which is summarised below:
"If the electronic payment to be initiated is a remote payment, for instance an online credit transfer or an online credit card payment, strong customer authentication is to be extended to include a dynamic link to the recipient and amount. This can best be explained with an example. When sending a TAN via SMS, the user must be informed of the amount and recipient for which this TAN is valid; if any of the payment details change, the TAN becomes invalid. iTAN lists, which are still used in some cases, no longer fulfil this requirement as the TANs in these lists can be used for any payment. Furthermore, it is easy to copy these lists. There is a risk of fraudsters gaining hold of these TANs and using them for payments for their own benefit."