Questions and answers about impacts of the Payment Services Directive on corporate customers

1. What are the impacts on corporate cards?

Strong authentication will become compulsory for card payments.

• Card payments in online stores and mobile apps will become more secure once PSD2 regulations are implemented.
• Payments can no longer be made with a card number and CVC code alone; more often the customer must be authenticated using strong authentication.
• Companies accepting card payments must request their card payment service provider to apply the necessary changes.

2. I don’t want to switch to electronic authentication/the code app. Can I continue to use the Classic code card?

The code cards for Corporate Classic Netbank will no longer be accepted as a means of authentication next year, so the code app and the code calculator will be the only means of authentication in the future. The code app or the code calculator are the safest means of authentication for customers, and they fulfil the requirements of the Payment Services Directive.  You can log into Nordea Business, which is a replacement for Corporate Classic Netbank, only with the code app or the code calculator.  

3. Is the paper code card used in other channels than Corporate Classic Netbank? Will I be unable to use other services once the code cards are phased out?

If you have used your company’s code card to log into a third-party service through Nordea’s e-identification service, you will no longer be able to do so after the e-identification service is revised in autumn 2019.

4. My company offers e-payment as an alternative on its website. Will the directive affect e-commerce and online payments?

Card payments will become more secure in online stores and mobile services thanks to PSD2. Payments can no longer be made with a card number and CVC code alone; the customer most be authenticated using strong authentication. Online retailers will mostly carry out strong authentication through the customer’s personal online banking access codes (including those obtained from other banks than Nordea). If a corporate customer accepts card payments, it must request its card payment service provider to implement the necessary changes by 14 September 2019.

5. Will these changes bring anything new for Nordea’s corporate customers?

• Card payments in online stores and mobile apps will become more secure once PSD2 regulations are implemented. Payments can no longer be made with a card number and CVC code alone; the customer most be authenticated using strong authentication. Online retailers will mostly carry out strong authentication through the customer’s personal online banking access codes (including those obtained from other banks than Nordea).
• Companies can give a third party (e.g. a bank, fintech company or ERP vendor) consent to access their account information from all their bank accounts in the EU. 
• Companies can give a third party (e.g. a bank, fintech company or ERP vendor) consent to make payments from their accounts held in different banks.
• Companies can adopt Nordea’s FX API, which is intended for automating currency transactions, and Nordea’s Instant Reporting API, which allows companies to retrieve their Nordea account information in real time.

6. As an entrepreneur, how can I make sure I’m ready for the changes ushered in by PSD2 and that they won’t cause me problems? Where can I get help?

If you have an online store, you must make sure it supports 3D Secure technology. You can turn to your payment services provider for help. In Corporate Classic Netbank, the code card can no longer by used after 31 December 2019, which is why we recommend that you start using the code app or code calculator without delay, if you haven’t already done so. 

7. How will the changes appear at points-of-sale and payment terminals?

Payment transactions made at points-of-sale must perform strong authentication using chip and PIN. Contactless payment transactions will be accepted as before (contactless payment limit of 50 euros, PIN must be entered if the payment terminal requests it). However, card payments can no longer be confirmed with the cardholder’s signature.

8. How will the changes affect online stores?

Card payments in online stores and mobile apps will become more secure once PSD2 regulations are implemented. Payments can no longer be made with a card number and CVC code alone; the customer must be authenticated using strong authentication. Online retailers will mostly carry out strong authentication through the customer’s personal online banking access codes (including those obtained from other banks than Nordea). 

If a corporate customer accepts card payments, it must request its card payment service provider to implement the necessary changes by 14 September 2019.

NB. If you use the Siirto mobile app to pay for online shopping, you will not need additional authentication, as it will continue to function as before after 14 September.

9. How will the changes affect new corporate cards?

A new or renewed card must be activated before it can be used.

When a card is used to pay online, the cardholder’s identity is strongly authenticated. At Nordea, strong authentication means using the code app or code calculator. Even if you’re not a Nordea customer, you can obtain our code app for authenticating your identity when making card payments online.

10. Nordea’s e-identification service will be revised. What does this mean?

Nordea is revising its e-identification service (the changes are not directly based on the new Payment Services Directive but on the EU’s eIDAS Regulation).

It is important to take this into consideration if your company’s customers log in to your online services using bank e-identification services.

The TUPAS protocol used in banks’ identification services in Finland will not fulfil the future requirements of strong authentication, which are harmonised with EU regulation. Stricter data security regulations require banks to adopt a more advanced protocol. Although the current TUPAS e-identification protocol will no longer comply with the requirements of legislation governing strong electronic authentication after 30 September 2019, the service will remain available for the time being as a form of “weak authentication”. Corporate customers must switch to the new version of e-identification or start using a user authentication intermediary service. This will require your company to apply changes to the information systems running your online services. 

Further information is available here.