You are here: 

Information on Strong Customer Authentication

Release Date:

What is strong customer authentication?

Strong customer authentication, also referred to as “two factor authentication” is the process for checking the identity of persons making payments on the basis of two out of three elements. These elements are:

  • Knowledge – something only the user knows, such as a password
  • Possession – something only the user possesses, such as a card that is read by a card reader or a mobile phone, on which a one-time password (TAN Code) is received
  • Inherence – something that can only be attributed to the payer, such as a fingerprint or the facial geometry from a scan of their face

Strong customer authentication is intended to minimise payment fraud and to make payment transactions more secure.

For what areas does strong customer authentication apply?

Strong customer authentication applies for various areas with regard to payments, such a accessing a payment account online, for electronic transfers, for card payments in relation to e-commerce, i.e. online shopping, as well as for payments made at the point of sale, i.e. in a physical shop.

From when do the strong customer authentication requirements apply?

Generally the new rules on strong customer authentication entered into force on 14.09.20219, apart from for one exception: the European Banking Authority (EBA) gave national competent authorities the option to extend the deadline for implementation in the e-commerce area until 31.12.2020 to allow affected service providers, including payment service providers as well as retailers, to have extra time for making the necessary technical adjustments. In order to support the frictionless functioning of payments, the FMA made use of this supervisory forbearance. The rules on strong customer authentication have also been in force since 01.01.2021 in the e-commerce field, although the period up to 15.03.2021 was considered as an extended test phase. By the end of this test phase, strong customer authentication was expected to take place for all areas, in the case that no legal exception were to apply.

What has changed for consumers as a result of the introduction of strong customer authentication?

Authorised account users are required to identify themselves on the basis of two factors when accessing their account, when initiating payments or in the case of other activities via remote access, for which there is an inherent risk of payment fraud or other potential abuse. For example, this can mean:

  • Accessing an online account using a password and a fingerprint, thereby fulfilling the factors of knowledge (the password) and inherence (the fingerprint).
  • A card payment in the area of e-commerce (online shopping) may for example be executed using a password and code received on a mobile phone, thereby fulfilling the factors of knowledge (the password) and possession (the mobile phone).
  • A card payment made in a physical shop may for example be executed by means of a card and a PIN code, with the factors of possession (the card) and knowledge (the PIN code) being fulfilled. An exception exists for contactless payments made at the point of sale for low value payments of up to 30 Euro.

What will change for retailers?

Retailers must make the necessary changes to the settlement of payments. This specifically means that the hardware and software used must guarantee that strong customer authentication is able to be performed.

What will change for orders in other EU countries?

Payments for orders from retailers that use payment service providers outside of the European Economic Area (EEA) are known as “one leg out” transactions. In this instance the payment service provider is not subject to the second Payment Services Directive (PSD2), and therefore strong customer authentication is not mandatory in the case of card-based payments either at the point of sale (POS) or via e-commerce. In the case of credit transfers in countries that are not part of the EEA, then strong customer authentication is mandatory, as such transactions are initiated directly by the payer’s payment service provider.