From 14 September, a measure envisaged by the new European directive on the security and transparency of bank payments will be in force that will change the way we spend money online, and more generally the relationship between banks and their customers. The most important innovations of the law are two: the possibility of authorizing “third parties” – that is, private companies – to carry out transactions on their own account, and the obligation to strengthen the measures with which the bank identifies its users. One of the first consequences of this last measure will force Italian banks to abandon the so-called tokens, i.e. the small devices that provide a security code associated with their account, now obsolete.
As a result of the authorization of “third parties”, many procedures that today concern online payments will be simplified. Repubblica explains that “it will be possible to make a payment on an ecommerce site (impossible not to think of Amazon) without entering the data of your credit card or debit card, because the seller will directly access our account, subject to our first authorization” .
Benedetta Arese Lucini, former head of Uber Italy and founder of a start-up that deals with electronic payments, wrote in an article hosted by the Press that the European directive will also lead to “an ever wider user profiling based on behavioral analysis of expenditure “. As often happens with this type of innovation, users will have some immediate advantages – given that the “third parties” will also be able to offer services increasingly tailored to customer needs – to the detriment of the complete confidentiality of their data they enjoy today.
Another important change concerns the authentication to home banking services, with which bank customers can check their bank statement or send wire transfers. From today, the authentication procedures must include at least two of the three principles established by law: a password known only by the user; a device owned exclusively by the user; or data attributable exclusively to a person, such as a fingerprint.
For some time now, many banks have allowed access to home banking via a password and a number generated by a token. The old generation of tokens, however, can no longer be used: the codes they generated made it possible to carry out more than one operation, therefore in theory also by several people, violating the principle of exclusive possession of the device provided for by the new law.
Many banks have already adapted, and have replaced the old token with an authentication process on the bank's app – which is valid for one operation only – or with an SMS sent to the customer's number. All the others will have to do it by law, by today. It does not mean that the tokens will disappear entirely: Deutsche Bank, for example, will replace them with new generation devices that create unique numbers for each operation.