Security

Frequently asked questions:

What are the security requirements for banks, payment service providers and account holders?

PSD2 and the derived European rules lay down several security requirements. These include for example how the bank must verify your identity as the account holder. These requirements apply when you wish to make payments or use payment initiation or account information services, and they establish how banks and third parties should communicate in a technically secure way. There are also requirements relating to the risk management systems of banks and payment institutions. In the event of incidents, they must immediately report them to the supervisory authority, which may then require the banks and payment institutions to take appropriate measures. DNB is the supervisory authority for the Netherlands, and must monitor the payment service providers' compliance with all applicable requirements, such as sound operational management.

In addition to these safeguards, the banks and payment institutions have their own security measures. For example, they continuously monitor all payment orders. If they detect anything unusual, they can block the order or contact the account holder. Banks in the Netherlands exchange information about unusual transactions and suspect counterparties. They work together with the police and the judicial authorities to ensure a secure and reliable payment system.

PSD2 also requires you, as the account holder, to handle your bank's security codes with due care. In the event of loss or theft of your debit card or security codes, you must immediately inform your bank.

Why do I always need to enter security codes when making payments?

These codes are necessary for the security of the payment system. There are two types of codes. The first type includes your debit card PIN code, your code for logging into the online banking environment or app, and your credit card's CVC code (i.e. the three-digit code at the back of your credit card). It is one of the factors with which the bank, payment service provider or credit card company can verify your identity as the account holder. They want to make sure that you are who you say you are. Then it knows you are authorised to make decisions about your account, make payments and give consent to access your account. This is why you must handle such codes with due care, and must keep them secret.

The second type of code includes those generated once your identity has been verified, such as TAN codes provided by the bank, or codes generated by a security calculator. These codes are unique, and linked to the transaction (amount, beneficiary). If the amount or beneficiary changes, the code will change too. They cannot be used more than once, which means they are useless to hackers, for example.

What is the difference between my PIN code and my online banking login codes?

Your PIN code is a four-digit code linked to your debit card. You can use it to make payments with your debit card. You don't always need to use this code, for example for low-value contactless payments. However, in most cases you will need your card and code. Your PIN code is personal, and you must keep it secret. Third parties are not allowed to ask for your debit card PIN code. They do not need it.

The third party may however ask you to use other security details provided by your bank, such as your internet banking login codes. In some cases you need your bank's debit card, PIN code and security calculator. In that case, you only use the code generated by the security calculator for the third party and not your PIN code.

Can I also make payments without codes?

Security codes – regardless of whether this concerns your debit card PIN code or your online banking login codes – are meant to safeguard the security of the payment system. In some cases, you do not have to enter a code. Exemptions can apply if using a code is impractical, or if the risk is small. Examples include:

  • Contactless payments
  • Payment terminals in public transport, on toll roads and in parking areas
  • Payments to beneficiaries in your address book to which you have made payments before
  • Recurring payments, with the same amount being transferred to the same beneficiary
  • Transfers between your own accounts at the same bank
  • Low-value payments
  • Payments assessed as low-risk by your bank based on advanced analysis methods

These exemptions are not unlimited. Furthermore, the bank decides whether to apply an exception and whether you must enter a code. 

What about when I have to enter my PIN code for contactless payments?

You do not always have to enter a code for contactless payments. You do not need to enter a code for transactions if the value of the transaction is lower than EUR 50, and the total value of the previous transactions for which no PIN code was entered is lower than EUR 150, or the total number of these transactions is lower than five. Above these thresholds, you must enter your PIN code. This means you can never lose more than EUR 150 if your debit card is lost or stolen.

Currently, the Dutch banks have their own thresholds for contactless payments. Effective from the autumn of 2019, the following thresholds will apply throughout the European Union. These thresholds will then be the same for all EU banks.

All new debit cards are suitable for contactless payments, and this option is "on" by default. You can disable it if you don't want to make contactless payments. Alternatively, you can request a debit card without a contactless option. Ask your bank.

How do I obtain security codes?

There are two types of security codes. The first type includes your debit card PIN code, your online banking code and your credit card's CVC code (i.e. the three-digit code at the back of your credit card). Debit card and online banking codes are provided by your bank. In some cases, you can select your own codes. You can find the CVC code on the back of your credit card. Your credit card has a PIN code too, this is provided by the credit card provider. The second type of code is a unique code linked to the proposed transaction (amount and beneficiary). This code is generated by your bank's system.