[jacquesm]

SEPA 'pull', aka merchant initiated transfers require a one time authorization, repeat debits require a one time authorization for the first payment and can be re-run afterwards (used for subscriptions), and can be revoked up to 90 days after the payment was done.

[Semaphor]

Were old transactions grandfathered in, or did Germany implement the laws differently? Because I never had to do any authorization besides checking a box that I allow them to debit my account (either on paper or online). All my existing ones predate PSD2, though.

[grncdr]

I'm fairly certain that SEPA mandate identifiers for recurring direct debits existed for years before PSD2. the way it works from the merchant perspective is you include the mandate identifier and a "type" to indicate if this is a first/recurring debit. The merchant only finds out about any problems some days (or months) later.

How your bank presents (or doesn't present) a new SEPA mandate to you for approval is up to them. I'd guess that at least some of them never show you anything, and assume that you will notice and revoke the payment if it was unexpected or fraudulent.

[Semaphor]

Neither Postbank, N26, nor the 2 Sparkasse branches I’ve been a customer of ever showed me anything for approval, so I guess it’s not very common.

[mdp2021]

> a one time authorization

Yes, but how well defined, or how loose, is that "authorization"?

[jacquesm]

With my bank that requires me to use a device they sent me (a hardware token), my bank card, my pin and a secondary authorization where I use the hardware token to process a challenge and then type in the response.

[elric]

The account owner can control the frequency and the maximum amount per period. It's not the case that some random entity can just grab all your money.

[mdp2021]

> The account owner can control

Unfortunately, that depends on the implementation of security the bank adopted. I assume you are mentioning a detail in the PSD2 directive. The banks, especially after national legislation following the directive, may adapt but not overlap it.

Take as an example the rule in the directive, that NFC based payments should require PIN based confirmation every five transactions: not all banks implemented this.

[ErrantX]

Pretty good now; the legislation mandates multi-factor authentication by the issuing bank. So customer has to prove presence directly with their bank to authorise the payment.

There is also dynamic linking (ie you are shown the amount but also a unique code that the payment requestor also showed you) so you are confident it is the same transaction.