You have questions about the security of Sofort?
Frequently asked questions
How secure is Sofort and how reputable is it?
In all matters concerning money, security must have the highest priority. That's why we designed Sofort as one of the safest online payment systems. With Sofort you use the classic online banking procedure. In particular, the confirmation code (TAN) offers a high degree of protection from misuse, because it can be used only once and then immediately becomes invalid. Entry of your online banking login details such as your PIN and the relevant TAN occurs exclusively in the secure payment form of Sofort GmbH and not on the merchant's website. This ensures that the merchant does not gain access to sensitive information (such as PIN and TAN). The transfer of data occurs only via connections secured with up to AES 256 bits. Sofort GmbH itself does not store any sensitive information like PIN and TAN, but carries out the transaction solely as a technical service provider. The online banking details like PIN and TAN are never visible to third parties or the employees of Sofort GmbH. To ensure the security of your information at all times, we rely not only on our own expertise. TÜV Saarland regularly tests and certifies our procedures.
Have there been cases of fraud with Sofort?
Since the inception of this payment method in 2005, in more than 50 million transactions, no customer who entered their PIN and TAN in the Sofort GmbH system has ever fallen victim to a case of PIN/TAN fraud. We are so confident of the security of Sofort, the Sofort GmbH commits itself to reimbursing end customers, who enter their online banking login details and confirmation codes into our system, of any financial loss which might occur to the end customer from the misuse of his/her online banking login details and TANs routed via our system. The Sofort GmbH will pay the amount reciprocally and simultaneously against cession of any claims by the end customer against third parties. In addition, the end user is obliged to provide Sofort GmbH with all the necessary information pertaining to the pursuit of the matter, and to register an official complaint. The claim is not limited to any specific amount, however, it is not to exceed the amount to which damages occurred as a result of the misuse of the stolen online banking login details and TANs.
Are my sensitive online banking login details such as PIN and TAN stored by Sofort GmbH?
No! PIN and TAN are not stored and are never visible to third parties or to employees of Sofort GmbH. This is no false promise, because we place our own compliance with data privacy regulations under close scrutiny. The TÜV Saarland regularly evaluates and certifies our procedures according to the guidelines of federal German data-protection law.
Does the merchant have access to my account or my login details?
Certainly not! At no time does the merchant have access to your sensitive online banking details (such as PIN and TAN), which you enter into our encrypted payment form. Under no circumstances does the merchant have access to your account.
Does Sofort GmbH have access to my account or my login details?
In order to carry out the transaction, Sofort GmbH necessarily requires one-time access to your account. In this respect, Sofort GmbH functions as a technical service provider that transmits to your bank the information you put into the secure payment form via an encrypted connection. The Sofort system is a multi-banking software tool, used to operate your online banking.
How do I know this is the secure Sofort GmbH payment form and not a phishing attack?
“Phishing” mean attempts by third parties to gain and misappropriate sensitive personal information (e.g. account number, PIN, TAN, credit card number) from recipients of e.g. “phishing emails”. These emails are imitations of those from trustworthy sources and, via a link contained in the email, seek to lead the recipient to a fraudulent website. At such a website (which in turn is also an imitation of the website of a trustworthy company), the victim is asked to provide personal information. With the help of the following characteristics, you can check the authenticity of Sofort: 1) The Internet address (URL) must begin with https://www.sofort.com/ (this means you are using the secure Sofort payment form.) 2) By clicking on the security certificate of Sofort GmbH – in green, at the beginning of the URL – you can see that Sofort GmbH is the owner of the certificate. The lock symbol confirms that the connection is secure. Sofort carries out data transfers via secured SSL connections.
Is it true that the general terms & conditions of the banks prohibit the disclosure of online banking login details and TANs?
The assertion of a breach of the general terms & conditions (prohibition of disclosure of PIN and TAN to third parties) is not correct. The German Federal Cartel Office (Bundeskartellamt) made its position clear in February 2011. It deemed general terms & conditions of German banks, or their interpretation, which prohibits the use of Sofort to violate cartel law and called upon the banks to enable non-discriminatory access for online payment systems that are independent of banks, such as Sofort. The banks have agreed not to claim publicly that users of Sofort were in breach of the banks' general terms & conditions.