New security requirements for online shopping

From 31 December 2020, there will be a requirement for so-called strong customer authentication when you pay by card online. You must have a BankID in order to shop online, and payments to online stores that are not prepared for the new rules may be rejected.

Why new rules?

The new rules are related to the EU's new payment directive (PSD2), and are made to reduce the risk of fraud. We as a bank have to know that the person who uses the card for payments also is the one who owns the card.

What does this mean?

  • When you shop online, you must identify yourself with BankID. You have previously been able to use an SMS code when shopping online, but this solution does not satisfy the legal requirements and will therefore be turned off by 10 January 2021. After this date, you must use BankID or BankID on mobile with your card when shopping online. See how to get BankID.
  • If the online store does not meet the new requirements, payments may be rejected.
  • You can no longer use the magnetic stripe / chip without entering the PIN. From 1 February, you can no longer use the card in places where you previously used a magnetic strip or chip (for example, vending machines and car washes), as it is a legal requirement that you must be able to enter a PIN code. Tæpping will still be possible.

What is strong customer authentication?

When you pay with a card online, we as a bank have to know that you who use the card are also the right holder of the card. Therefore, you need to confirm that you are you in a safe way. You do this through strong customer authentication.


Strong customer authentication means that several components are used as independent identification criteria, as is the case with BankID (birth number + one-time code + personal password).


As a bank, we are obliged from 1 January 2021 to reject transactions to European e-commerce sites that do not comply with the requirement for strong customer authentication.