Bank of Lithuania
1 of 1

The Bank of Lithuania informs about enhanced consumer protection when making online card payments for goods and services as of 1 January 2021. Consumers will have to give an additional confirmation of their payment via e-banking tools, to ensure strong customer authentication (SCA). Some payments are already subject to such practice, however some e-merchants, mainly from other European Union (EU) Member States, will not be ready in time.

“Strong customer authentication will enhance consumer protection against fraud and increase online payment security. That said, not all service providers, especially from abroad, will be ready for the changes, which means there may be some difficulties with payments,” said Marius Jurgilas, Member of the Board of the Bank of Lithuania.

SCA requirements will be universally applied by e-merchants and payment service providers, such as banks, credit unions and electronic money and payment institutions. Consumers will mainly see changes when shopping in online shops in other EU Member States where payments by card are more popular. Online shops in Lithuania usually offer an option to pay via Bank Link or a payment initiation service where SCA has been required for some time now, i.e. payments need to be authorised using e-banking tools (such as Smart ID, a PIN code generator, a mobile signature, etc.). These requirements must be in place as soon as the new year starts, but given that some e-merchants are not properly prepared and in order to avoid inconvenience for buyers making online payments with a payment card, there is a transitional period of 3 months. This means that in January a payment service provider may omit SCA for online card payments under €500, in February – under €250 and in March – under €100. Where these thresholds are exceeded and as of April – irrespective of the amount, online card payments  may be declined, if an online store is not ready to request SCA.

There are however certain exceptions: SCA requirements may be skipped for low-risk payments (e.g. recurrent payments) and payments in non-EU online shops, as other countries have not yet migrated to SCA for online shopping. Payment transactions without SCA fall under the following general principle: the payment service provider will have to reimburse the consumer for any losses incurred if a payment is unauthorised.

SCA requirements are laid down in the Republic of Lithuania Law on Payments transposing the EU Payment Services Directive. Under its provisions, an online payment transaction is authorised in accordance with the following principles: I know (password, PIN code, etc.), I have (a code generator, SMS, digital signature), I am (fingerprint, voice recognition, retina and iris scan, etc.). Two of the above principles will suffice for SCA, which will depend on specific technical solutions implemented by a payment service provider.