Payment services

Payment cards

How do I use a payment card safely?

  • Keep the card and PIN separate and safe at all times.
  • Make sure that you are not observed when entering your PIN to accept payment. Block the view with your other hand, for example, to prevent unauthorised persons from seeing what you enter.
  • If you lose your card or it is stolen, promptly notify the card blocking service (phone 020-333) or your own bank.
  • Do not give your card to another person.
  • Check regularly that your card is safe.
  • Set suitable withdrawal limits on your card.
  • Never disclose your card’s PIN to another person.
  • Do not disclose your card number on the phone, in an email or on a website if you are not sure that the party requesting the number is to be trusted.

My card was stolen. Am I liable for purchases made with it?

As a customer, you are not liable for unauthorised payment transactions if you have acted with normal care and according to the terms and conditions of the card. The bank will then compensate you for the sum of the unauthorised payment transactions. Your liability for use of the card also ultimately expires when you have notified the bank or other appropriate institution of the card’s loss or unauthorised use.

If, however, you have acted negligently with respect to the use, storage or notification of loss of the card, you may be liable for unauthorised payment transactions. Your liability is limited, however, to EUR 50; the bank will compensate you for the rest. This limitation of liability does not, however, apply if you are found to have acted negligently or intentionally.

What does strong authentication mean in connection with payments?

Strong authentication means the method by which customers are identified, for example in connection with payment transactions or when logging in to payment accounts. Authentication is accomplished by combining at least two of the following three options:

  • knowledge, i.e. something only the user knows (such as a password, PIN code)
  • possession, i.e. something only the user of the payment service possesses (such as a mobile phone, code calculator, a card when paying at a store payment terminal)
  • inherence, i.e. something only the user is (such as a fingerprint, face map)

In addition to making payments, the means of identification provided by banks are also used in services where strong electronic customer authentication is required. Such services include electronic services provided by public authorities (e.g. Kela, Police, tax authorities) and electronic services provided by insurance companies. In addition to the means of identification provided by banks, mobile certificates provided by telecom operators and the Population Register Centre’s citizen certificate are generally used as means of identification in these services.

Who will see my account information?

Although the PSD2 requires banks to allow TPPs to access customers’ accounts, actual access to information always and only takes place with the explicit consent of the customers’ themselves. No non-bank entities will otherwise gain the right to access customers’ account information as a result of the new regulations. The express right to use account information services applies to customers themselves and not to other parties. 

Can I still pay online using payment card information?

Previously, in many online stores it has been possible to pay by entering into the service your payment card information. As of 14 September 2019, it has no longer been able to pay at an online store simply by entering your payment card information; customers must also be strongly authenticated in connection with payments.1  In certain exceptional cases, such as in small purchases less than EUR 30, strong customer authentication is not necessarily required. Even in small online payments, strong customer authentication is required, however, when the security limits set for individual purchases or the total amount of purchases are reached.

Can I still use an online banking code list?

The current paper-based online banking code lists provided by banks are easy to copy and therefore they no longer meet, in their present form, the requirements for increasing payment security. The banks are creating alternative methods, which fulfil the requirements of the new regulations, to replace or supplement the use of online banking code lists. The FIN-FSA has issued a statement on the use of online banking code lists.

When online banking codes are used for strong customer authentication in services other than in relation to payments and accessing payment accounts, such as in public authority services (Kela, Police, tax authorities), then identification service regulations, supervised the Finnish Communications Regulatory Authority TrafiCom, will be applied instead of payment service regulations.

Check out the European Banking Authority's EBA tips for safe transactions and product purchases online (pdf).

Payment and identification services involve the risk of misuse if you are not careful and diligent in using online banking credentials and payment instruments. See more in the Scams section.