PSD2 and the delegated regulation on strong authentication stipulate that users must carry out strong authentication every 180 days for the aggregator to be able to access their payment account data. Therefore, if after 180 days you have not renewed your authentication, the service provider can no longer access your account data.

In addition, you can cancel the service with the service provider at any time. The service provider is then required by law to cease accessing your account details.
Finally, if unauthorised access is suspected, the user may ask their account-holding institution to revoke the service provider's rights.

Payment initiators enable users to make payments without going through their online banking portal and without having to fill in the beneficiary's details, thanks to an interface provided by the initiator. In particular, they make it possible to make a payment to a merchant on the internet. PSD2 has provided a legal framework for payment initiators, who receive authorisation from the ACPR.

A card payment does not involve exactly the same players and the same technical processes. When a user makes a card payment, a payment authorisation request is sent by the merchant's bank (acquirer) to the customer's bank (issuer) on what are known as authorisation servers. The banks are linked by payment schemes (in France, these notably include Cartes Bancaires, Visa, Mastercard and American Express). When the customer's bank authorises the transaction, it guarantees payment to the merchant's bank. The goods can then be dispatched.
A payment via an initiator involves only the initiator and the customer's bank. The initiator invites the user to select their bank. The user is then redirected to an authentication page. Once authentication has been completed, the payment is made. The initiator receives confirmation from the customer's bank, informs the merchant and the goods can be dispatched.

The regulations prohibit payment initiators from storing sensitive payment details concerning the user. Moreover, authentication is required each time a payment is made. If a payment initiator were to retain such data, it would face sanctions from the ACPR.

Strong authentication involves the confirmation of at least two authentication factors of different categories from the following three: i) possession (key, mobile phone, etc.); ii) knowledge (password) and iii) inherence (fingerprint). In the vast majority of cases, strong authentication involves opening the user's online banking app and entering a password (or checking their fingerprint) on a phone previously registered by the account-holding institution. This method replaces sending an SMS to the mobile phone, which fulfils only one of the two criteria if it is not combined with confirmation of a password.

Strong authentication significantly enhances security when logging in to your online banking account and making payments. A malicious user would not be able to access another user's space with just their password. When paying by card on the internet, entering your payment card details is not sufficient to complete the transaction. The strong authentication provided for under PSD2 is more secure than an SMS alone, because it is not impossible to intercept payment confirmation SMS messages sent by account-holding institutions (SIM swapping technique).

The regulations do not require banks to provide several strong authentication mechanisms. However, within the framework of the Observatoire de la sécurité des moyens de paiement (OSMP – Observatory for the Security of Payment Means), French financial institutions have undertaken to offer several different mechanisms, in particular for customers who do not have smartphones and are therefore unable to install French banks' mobile solutions for strong authentication. The alternative solutions that could be provided are as follows:

• Continuing with the system of a code sent by SMS or voice server combined with a personal code. In this case, the customer validates the transaction on the internet by entering in two separate fields: i) the code received by SMS or interactive voice server and ii) a static personal code communicated to them by their bank (for example, their online banking access code). The payment process is therefore unchanged overall, with the addition of an extra input field on the validation page. This constitutes a solution providing continuity.
• The use of a physical device provided by the bank, particularly for “sedentary” customers who make their online purchases systematically from home. In this case, the bank equips customers with a device enabling them to authenticate themselves securely. This can take a variety of forms such as a code generator with an input keyboard, a USB key or a QR code reader, etc. In this case, the bank must provide its customers with all the support and assistance they need to use the device properly.
   

Banknotes

There are seven denominations of euro banknotes in circulation: €5, €10, €20, €50, €100, €200 and €500. Each is different in size and has a different dominant colour. They are identical in all euro countries.

The €500 banknote is no longer issued, but it is still in circulation as legal tender which means you can continue to use it for payments and deposits.

Coins

There are eight euro coins in circulation: 1, 2, 5, 10, 20 and 50 cent, €1 and €2.

They have a common side which is identical in all euro countries, and a national side indicating the issuing country.

The eight coins have different features to make them easy to recognise.

The French mint, the Monnaie de Paris, also produces collector euro coins that can be exchanged for their face value at the Paris branch of the Banque de France.

Euro banknotes have security features that make them easily recognisable for all users.

You can check that a banknote is genuine using the “feel, look and tilt” method.

Details of the method can be found on the ECB website.