You are here: 

FMA extends implementation period for strong customer authentication for card payments in e-commerce

Release Date: |

The Austrian Financial Market Authority (FMA) will be extending the implementation period for strong customer authentication (two-factor authentication) for card payments made online to give payment service providers and merchants more time to migrate to SCA-compliant authentication approaches. The European Banking Authority (EBA) is allowing competent authorities to grant limited additional time for the implementation of SCA measures, and the FMA has taken advantage of this supervisory flexibility. Payment service providers must submit a migration plan to the FMA and regularly update their competent authority on the migration progress made. The new deadline for the migration to SCA-compliant approaches in e-commerce, and the finer detail of the implementation process as well as regular information requirements will be adopted at European level at the end of September 2019, as of which time they will apply throughout Europe.


Other areas that will require strong customer authentication in future – such as online access to payment accounts, electronic credit transfers or point-of-sale payments – are not affected by this extension. Strong customer authentication will be required in all of these areas across the EU from 14 September 2019 onwards.


Strong customer authentication means authenticating payers by using two out of a total of three elements in order to minimise the risk of payment fraud. These elements have been categorised as:

  • Knowledge – something only the payer knows, such as a password
  • Possession – something only the payer possesses, such as a card evidenced by a card reader or a device evidenced by a one-time password
  • Inherence – something that can only be attributed to the payer, such as a fingerprint or the geometry of their face.


Strong customer authentication has been defined in the revised Payment Services Directive (PSD2), which entered into force on 13 January 2016 and was transposed into national law on 1 June 2018 by the Payment Services Act 2018 (ZaDiG 2018). Originally, businesses had until 14 September 2019 to migrate to strong customer authentication. The “Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2”, which the EBA published on 21 June 2019, enabled an extension of this deadline in relation to electronic card payments.


For further information on strong customer authentication (in German), please go to:


Journalists may address further enquiries to:

Annemarie Bauer

+43 / (0)1 / 24959-6007

+43/ (0) 676 / 88 249 519

Previous news entry: «