The rise of digital technology has led to a proliferation of cyber threats and electronic fraud. To address this, organisations, businesses and public authorities must adopt rigorous security measures, including strong customer authentication.
However, the failure to implement this method of protection can lead to serious legal, financial and reputational consequences.
In this article, we will examine the legal obligations related to strong customer authentication, the consequences of failing to implement it, and some real-world cases.
What is strong customer authentication?
Strong customer authentication, or two-factor authentication (2FA), is a procedure that strengthens access security by requiring at least two distinct authentication elements from the following three categories:
- Something you know: a password or PIN code.
- Something you have: a smartphone, smart card or security token.
- Something you are: a fingerprint, facial recognition or iris scan.
Article L. 133-44, I of the Monetary and Financial Code requires payment service providers (PSPs) to implement strong customer authentication when the user accesses their online account, initiates an electronic payment transaction or carries out a transaction through a remote communication channel that may involve a risk of fraud.
For remote electronic payment transactions, strong authentication must establish a dynamic link between the transaction, the amount and the payee (Article L. 133-4, f, of the Monetary and Financial Code). This means that:
- The payer must be informed of the transaction amount and the payee.
- The authentication code generated must be specific to the amount and payee approved by the payer.
- Any change to the amount or payee invalidates the generated authentication code.
This approach limits the risks of unauthorised access by making intrusions much more difficult for cybercriminals.
What are the legal and regulatory obligations related to strong authentication?
Several regulations require the use of strong authentication in sensitive sectors:
1. General Data Protection Regulation (GDPR)
The GDPR, applicable since May 2018 in the European Union, requires organisations to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Article 32).
Although the GDPR does not explicitly mention strong authentication, the latter is often considered an appropriate measure for protecting personal data against unauthorised access.
2. Payment Services Directive 2 (PSD2)
PSD2, in force in the European Union, requires strong customer authentication for electronic payments in order to reduce fraud and increase the security of online transactions.
This directive requires the use of at least two of the following three elements: knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is).
3. Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS standards, which apply to organisations processing card payments, recommend the use of multi-factor authentication for accessing systems containing cardholder data.
These standards aim to strengthen the security of payment data and prevent unauthorised access.
4. Sector-specific standards
Certain sectors, such as healthcare, telecommunications or financial services, are subject to specific regulations that may require the implementation of strong authentication to protect sensitive information.
5. International standards and recommendations
Organisations such as the International Organization for Standardization (ISO) publish information security standards, such as ISO/IEC 27001. The latter recommends the use of robust access controls, including strong authentication.
Exceptions to the strong authentication requirement
There are, however, exceptions to this requirement, notably for:
- Low-value payments (below 30 euros), subject to certain conditions;
- Recurring payments of the same amount to the same payee, after the first transaction;
- Payments to trusted payees previously registered by the user.
What are the consequences of failing to implement strong authentication?
The failure to implement strong authentication, also known as two-factor authentication, can lead to several notable consequences, both for users and for payment service providers.
1. Increased risk of fraud
Without strong authentication, electronic transactions become more vulnerable to fraud attempts. Fraudsters can exploit this weakness to gain unlawful access to user accounts and carry out unauthorised transactions.
2. Increased liability of payment service providers
Under Article L. 133-19 of the Monetary and Financial Code, if an unauthorised payment transaction is carried out without the payment service provider having required strong authentication, the payer bears no financial consequences, except in cases of fraudulent conduct on their part.
Thus, in the absence of strong authentication, financial liability falls on the service provider.
3. Loss of customer trust
Users expect their online transactions to be secure. The absence of reassuring security measures, such as strong authentication, can lead to a loss of customer trust in the services offered. This can affect reputation and long-term loyalty.
4. Regulatory non-compliance
The European PSD2 Directive requires the use of strong authentication for electronic payments. Failing to comply with this requirement may expose service providers to regulatory and legal sanctions.
5. Significant financial risk for consumers
In the absence of strong authentication, consumers may be more exposed to financial losses in the event of fraud, especially if payment service providers refuse to reimburse fraudulent transactions.
Real-world cases of failure to implement strong authentication
In France, several real-world cases illustrate the consequences of non-compliance with the strong authentication requirement for payment transactions. Here are some examples:
1. Court of Cassation judgment of 30 August 2023
In this case, a client had mistakenly communicated a “3D Secure” security code to a third party posing as a bank employee, which resulted in an unauthorised payment from their account.
The bank refused to reimburse the client, citing gross negligence on their part. The Court of Cassation held that, except in cases of proven fraud by the client, the client must not bear any financial loss if the unauthorised payment transaction was carried out without the bank having required strong authentication.
The Court therefore overturned the previous decision, emphasising the obligation for banks to implement strong authentication to secure transactions.
2. Recommendations of the Observatory for Payment Methods Security
In May 2023, the Observatory published recommendations concerning the reimbursement of fraud victims. It specified that if a transaction disputed by the user was not subject to strong authentication, the account-holding institution is required to reimburse it without delay.
This position reinforces the obligation for payment service providers to implement strong authentication measures, under penalty of having to bear the financial losses related to fraudulent transactions.
3. Paris Court of Appeal judgment of 20 March 2024
In this case, a client had been the victim of several fraudulent debits totalling 13,000 euros. The bank had refused to reimburse her, arguing negligence on her part.
The Paris Court of Appeal ordered the bank to reimburse the amount, finding that it had failed to implement adequate security measures, including strong authentication, to prevent such fraud.
Summary
Strong authentication is an indispensable pillar of modern cybersecurity. By failing to apply this measure, organisations expose themselves to high risks that affect their legal compliance, financial position and reputation. It is therefore important to view this technology not as a constraint, but as a strategic investment to protect their interests and those of their clients.
