May 5th 2015 German Regulator, BaFin has published Minimum Requirements for the Safety of Internet Payments. They are just a translation of the Guidelines on the security of internet payments published by European Banking Authority (EBA) and far behind the original BaFin draft. Nevertheless the published circular letter dos not clarify, if online direct debit will remain compliant.
The letter refers to “E-Mandates” and not to so called Click-Mandates. So our understanding is that a mandate can be given by a click only. But our clients are irritated. Hence, we ask the German Ministry of Finance and the Bundesbank to clarify once more as they did in September 2013.
Update 2015 Aug 26th:
Semi official clarification was published by BaFin saying that merchants can continue pulling generating mandates with a click but regulated PSPs are forced to do a two factor authentication. In addition we herd that BaFin might not force MaSI before PSD2. So Germany is following UK. What does that mean in practice? SEPA direct debit online and mobile is safe at least for another two years.