Austria delays strong customer authentication
Chris Hamblin, Editor, London, 26 October 2019
The Austrian Financial Market Authority has extended its deadline for the advent of strong customer authentication (otherwise known as 'two factor' authentication) for card payments in relation to e-commerce transactions until 31 December 2020.
This is the result of an agreement that it reached with the European Banking Authority, the European Supervisory Authority that dominates it.
Payment service providers that want to make use of this extension must submit plans to the FMA that lay out the ways in which they intend to 'authenticate' customers by the time of the new deadline. They must also keep informing the FMA about progress throughout the remaining period.
All other transactions apart from e-commerce, for which strong customer authentication is to be applied in accordance with the Payment Services Act 2018 (ZaDiG 2018; Zahlungsdienstegesetz 2018), such as the accessing of a payment account online or the making of electronic credit transfers or 'Point of Sale' payments, are not affected by this extension of the deadline. For such transactions and payments, strong customer authentication became compulsory on 14 September throughout the European Union.
Strong customer authentication is designed to help prevent fraud in payment transactions. It verifies the identity of a person who makes a payment by using at least two out of a total of three factors. These factors are:
- knowledge – something that only the person making the payment knows, such as a password;
- possession – something that only the person making the payment possesses, such as a card that is read by a card reader or a mobile phone, on which a one-time password (TAN Code) is received; and
- inherence – something that only the person making the payment can provide, such as a fingerprint or a facial scan.