Peru’s Superintendencia de Banca, Seguros y AFP brings in stronger two-factor authentication for card payments and extends key implementation deadlines to April 2026

Peru’s Superintendencia de Banca, Seguros y AFP (SBS) has brought into force new identity-validation measures to strengthen the security of credit and debit card transactions, including mandatory two-factor authentication requirements for different payment scenarios. For card-present transactions carried out via POS, cards issued from 1 July must use two factors: the chip (or its digital representation) and a secret code (PIN). For card-not-present transactions such as online purchases, two factors will be required: the data contained in the physical or digital representation of the card and a dynamic card verification code or a similar factor. For third-party mobile wallets based on card tokenisation, enrolling a card for use must be authenticated using the tokenisation process and a second factor of a different nature. SBS also extended, to 1 April 2026, the deadline for financial institutions to complete implementation in two specific areas: introducing the PIN as a second authentication factor for card-present credit card transactions, and enabling mechanisms to replace card data with a unique identifier generated using cryptographic techniques for transactions conducted on third-party platforms. From 1 April 2026, for cards issued before 1 July that lack a second factor (PIN) for card-present transactions, firms will begin to assume direct responsibility for unrecognised transactions that do not use the second authentication factor.