In accordance with Section 1 para. 24 of the German Payment Services Supervision Act (ZAG), “strong customer authentication” is an authentication process which is designed in a way to protect the confidentiality of the authentication data and which is carried out using at least two of the following elements, which are independent of each other in the sense that failure to meet one of the criteria does not call into question the reliability of the others:
- Category 1: Knowledge, i.e. something only the user knows,
- Category 2: Possession, i.e. something only the user owns, or
- Category 3: Inherence, i.e. something the user is.
According to Section 55 para. 1 sentence 1 ZAG, payment service providers are obliged to require strong customer authentication if a payer accesses his or her payment account online, triggers an electronic payment transaction or carries out an action via remote access that involves the risk of fraud in payment transactions or other misuse.
Delegated Regulation (EU) 2018/389 contains further requirements for the authentication procedure.