You are here: 

FMA extends deadline for application of strong customer authentication for card payments in e-commerce transactions to 31.12.2020

Release Date: |

The Austrian Financial Market Authority (FMA) has extended the deadline for implementation of strong customer authentication (“two factor authentication”) for card payments in relation to e-commerce transactions until 31 December 2020. This is the result of an agreement that was reached last evening by the European Banking Authority (EBA). “Legal clarity is created for Austrian payment service providers as well as e-commerce users, while the functioning of payment transactions in this area are ensured and the harmonised regulation throughout Europe therefore ensures fair conditions for competition in this strongly cross-border business”, remarked the FMA’s Executive Directors, Helmut Ettl and Klaus Kumpfmüller.

Payment service providers wishing to make use of this deadline extension, must however submitted their implementation plans to the FMA about how they will ensure that strong customer authentication will be implemented by the end of 2020 at the latest, and to continually inform the FMA about the progress of the implementation process.

All other transactions apart from e-commerce, for which strong customer authentication is to be applied in accordance with the Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 2018)[1], such as when accessing a payment account online, making electronic credit transfers, or “Point of Sale” payments, are not affected by this deadline extension. For such transactions and payments, strong customer authentication has already had to be applied since 14 September 2019 throughout Europe.

Strong customer authentication

Strong customer authentication is intended to contribute towards the prevention of fraud in payment transactions as far as possible. It means that the identity of a person making a payment is to be verified using at least two out of a total of three factors. These factors are:

  • Knowledge – something that only the person making the payment knows, such as a password
  • Possession – something only the person making the payment possesses, such as a card that is read by a card reader or a mobile phone, on which a one-time password (TAN Code) is received
  • Inherence – something that only the person making the payment is, such as a fingerprint or a facial scan

Further information about strong customer authentication can be found on the FMA Website.


Journalists may address further enquiries to:

Klaus Grubelnik (FMA Media Spokesperson)


+43/(0)676/882 49 516

[1] The Payment Services Act 2018 has transposed the European Payment Service Directive II (PSD II), which entered into force on 13.1.2016, into Austrian law with effect from 1 June 2018.


Previous news entry: «
Next news entry: »