The new legislation requires all customers in the EU (with some exceptions) to authenticate payments when requested, providing at least 2 items from the below list:
- Something the customer knows (password or PIN)
- Something the customer has (phone or hardware token)
- Something the customer is (fingerprint or face recognition)
If the customer is asked to provide authentication during the checkout process, they will see their bank's interface. However, if they have to authenticate a payment outside the checkout process, for example for a recurring subscription payment, they will receive an email with a link to the authentication process specific to their bank.