Payment Services Directive

Payment Services Directive

Internet and Mobile Banking

Contactless payments

Online payments 

New rules applicable to payments through cards or via Internet and Mobile Banking

Card payments safety and mitigating fraud risk regulations for electronic transactions are undergoing continuous changes, so that you benefit from a safe banking experience when using the Internet and Mobile Banking services or when paying with your BCR card.

Starting with September 14th 2019, the provisions of the European Regulation 389/2018 with respect to the technical and regulatory standards for strict customer authentication and to the open, shared and safe communication standards will come into force, an enactment aimed to supplement Directive 2366/2015 regarding payment services (hereinafter referred to as the European Regulation). 

What are its effects? 

Internet and Mobile Banking 

1. You can log in exclusively by using your username and the unique dynamic code  generated by eToken (IDentity) application / Token device. Access by using the username and password will no longer be allowed.  

2. When you sign the following types of transactions you will need to use the eToken (IDentity) application/ Token device:

  • Utilities payments
  • Tax payments
  • Direct Debit initial setting

Card payments

1. Entering your PIN code will sometimes be required also in case of purchases smaller than RON 100, if you have made consecutive transactions having an aggregated value of EUR 150 in RON equivalent, without previously entering your PIN. 

2. For online payments, in case the value of the transaction is lower than EUR 30,  in RON equivalent, you may not be required to enter your 3D Secure code. If the aggregated value of previous transactions without 3D Secure password exceeds the RON equivalent of EUR 100, your 3D Secure password will need to be entered.

* Directive 2366/2015 regarding payment services in the internal market and Regulation 389/2018 regarding technical and regulatory standards for strict customer authentication and open, shared and safe communication standards

New services regarding your payment accounts accessible online

The European Regulation aims to offer customers a wide variety of services and service providers. In summary, as per the new rules, you can provide access to your bank accounts to a fin-tech company or to another bank (Third party PSP), and BCR will allow access to the data in your accounts, so that you might benefit from the services listed below:

  •  Account information services – it means that you will be able to view the balance and transactions of your BCR account by means of an application provided by another fin-tech company/ another bank without being forced to log in to Internet and Mobile Banking BCR. For login, you will use the username and code generated by eToken (IDentity) application / Token device.

This authorisation is valid for 90 days, during which the PSP third party may request information from BCR about the accounts that you indicated, without you being forced to re-authorise access to your data within this time window.

  • Payment initiation services – it means that you may pay directly from your BCR account by means of the application provided by a PSP third party without needing to log in to Internet and Mobile Banking BCR. For the payment authorisation, you will use the username and code generated by the eToken Identity application/ Token device.
  • Conformation of funds availability – it means that you can agree that a Third party PSP might check the availability of a certain amount of money in your account in view of initiating a transaction by using the card issued by that Third party PSP. This agreement is valid for as long as you allow it.

Good to know

For the safety of your accounts, before using your login data for Internet and Mobile Banking BCR to access services provided by another fin-tech company/ bank you should make sure that that entity is authorised/ registered.

You can check that here, in the list of “NBR authorised payment institutions”.

Frequently asked questions

Starting with 14th September 2019, Strong Customers Authentication (SCA) will be necessary for all electronic payments. The European Regulation aims to protect the users by forcing financial services providers to use at least two of the three available identity authentication methods for payments check. The authentication methods are either knowledge based (e.g.: passwords), ownership based (e.g.: tokens) or identity-based (e.g.: fingerprint).

The provisions of the European regulation affects all electronic banking operations, such as bank transfers and card payments. The Strong Customers Authentication (SCA) requirements will apply to all payment cards issued in the European Economic Area and to all merchants and service providers based in the European Economic Area.

For you it will be a regular procedure, as BCR uses 3D Secure online payments protocol in case of which card holders must login with a unique password sent by text message. As a results of European Regulation, there will be new authentication options available, which might streamline the authentication process, given the fact that biometric authentication allows you to identify yourself simply by touching your phone.

Soon, BCR will put at your disposal biometric authentication for the best and easiest shopping experience possible.

During an online payment, you will need to enter your card information and click on the payment button. For the next step, there are three possible scenarios:

1. Single click payment: 

Based on your profile and your payment history, the card issuer or the merchant could decide that you can make the payment by a single click, without additional authentication.    

2. eToken (IDentity) authetication: 

After placing the order, you will find the transaction details in eToken (IDentity) and you must authenticate by fingerprint or other biometric data for authorising the payment.

If the PIN or the fingerprint (or other biometric data) are successfully identified, the payment can be approved.      

3. 3D Secure password authentication received by SMS:

The card holder receives a unique password sent via text message from the bank and he/ she needs to enter it on the merchant’s payment page.

In this case, you will not be able to perform the authentication and consequently the payment cannot be finalized.

The legislation applies only for the countries within this area and this is why contactless payments in other countries do not fall under the provisions  of this European Regulation.

Outside the European Economic Area, Strong Customers Authentication (SCA) is not mandatory.

The unique password is valid for 10 minutes and automatically becomes invalid after this time window expires. 

  • Account information service provider - is the payment service provider which performs exclusively account information services.
  • Payment initiation service provider – is the payments services provider which performs exclusively payment initiation services.
  • Card based payment instruments issuer – is the payment services provider which issues card-based instruments.
  • BCR will treat the payment instructions sent via PSP Third parties without discriminating them from the payment instructions sent directly by the BCR customer.  
  • PSP Third parties must identify themselves in relation to BCR and act according to the legal provisions.  
  • In case a BCR customer wants to benefit from the services provided by PSP Third party providers the consent to perform a payment instruction to BCR is granted via the PSP Third parties.  
  • BCR may deny access of  PSP Third parties only in case it has objectively justified reasons, supported by adequate proof related to the unauthorised or fraudulent access of the online accessible payment account by these third parties.
  • BCR will inform the customer about the fact that PSP Third parties’ access was denied as well as the reasons for this denial, except for the case when communication is prevented for justified reasons or in case the legal provisions prevent it. Communication will be sent after access refusal.  

In case an unauthorised or incorrectly performed payment operation is initiated via a payment initiation provider, the latter will have the responsibility of proving that, within the boundaries of its skills, the operation was authenticated, correctly registered and was not affected by any technical malfunction or by other technical deficiencies related to the payment services the provider bears responsibility for.