eIDAS & strong customer authentication under PSD2

Since the beginning of 2018, PSD2 or the 2nd Payment Services Directive is national law in all EU member states. Some countries have implemented the new directive early on, such as Germany and the UK, but for some it is still work in progress today.

The Second Payment Services Directive focuses on providing access for non-banking third party providers (TPP) to bank customer account information (after the customer’s approval, of course). You may have heard of “open banking” or “open APIs” – this is the facilitator for PSD2. For the first time, TPPs may access account information, confirm availability of funds and even initiate payment transactions.

In today’s blog post, we will take a closer look at the link between PSD2 and the European eIDAS regulation, the latter of which a number of previous blog posts were focused on: local vs remote signing, sole control of signing keys, eIDAS for banking & financial services.

eIDAS offers a comprehensive toolset for secure cross border identification and transactions, in this case, online financial and payment transactions.

  • Qualified website authentication certificates securely identify the (payment) service provider behind a website and confirm it is a trustworthy page to connect and log in to.
  • Qualified electronic seals can proof origin and integrity of information or documents made available by a company.
  • Means of electronic identification (eID) which play a vital role for strong authentication mechanisms as required under PSD2.

Let’s dive into the concept of Strong Customer Authentication (SCA) a little more. In the context of PSD2, the European Commission will introduce a Delegated Regulation on Regulatory Technical Standards (RTS) by September 2019. It applies to customer-initiated online payments within the European Economic Area and provides a technical framework for secure authentication and communication. SCA requires businesses to work with two independent authentication mechanisms of different nature to execute a customer’s payment transaction. This is of great importance when open banking APIs are in play, where banks must be able to securely identify customers (i.e. process of authentication) for compliance with PSD2. “Something the customer knows / has / is” shall be used in combination. The eID, with its cross-border usage and recognition as governed by the eIDAS regulation, can constitute an authentication mechanism based on what a user has (eID card) and knows (PIN).

The Regulatory Technical Standard also requires qualified certificates for electronic seals and website authentication, as described above and defined by eIDAS.

When opening a bank account, the payment service provider can attach their electronic seal to all documentation provided to the future customer. In the following, the customer’s identity must be verified under the AML4 directive, which can be done by means of a notified eID throughout Europe. For contract signing, in the next process step, a qualified electronic signature may be required when the contract is signed remotely. For account login, SCA is required in certain cases, while it is mandatory for most cases of transaction authorization and payment initiation.

A number of exemptions exist for SCA mechanisms, such as low value transactions, the same recurring payments to the same recipient or payments to trusted beneficiaries listed with the customer’s bank.

Utimaco HSMs support all the above-mentioned trust services required by PSD2 and the related RTS. If you have any questions or require assistance evaluating your security needs, please do not hesitate to reach out to us.

A first version of this article was published on December 07, 2018

References and further readings

Blog post by Paul Abraham

To find more press releases related with below topics, click on one of the keywords:

Wie können wir Ihnen helfen?

Sprechen Sie mit einem unserer Spezialisten und erfahren Sie, wie Utimaco Sie unterstützen kann.
Sie haben zwei verschiedene Arten von Downloads ausgewählt, so dass Sie verschiedene Formulare absenden müssen, die Sie über die beiden Tabs auswählen können.

Ihre Download-Sammlung:

    Direkt nach dem Absenden des Formulars erhalten Sie die Links zu den von Ihnen ausgewählten Downloads.

    Ihre Download-Sammlung:

      Für diese Art von Dokumenten muss Ihre E-Mail Adresse verifiziert werden. Sie erhalten die Links für die von Ihnen ausgewählten Downloads per E-Mail, nachdem Sie das unten stehende Formular abgeschickt haben.

      Downloads von Utimaco

      Besuchen Sie unseren Download-Bereich und wählen Sie aus: Broschüren, Datenblätter, White-Papers und vieles mehr. 

      Fast alle können Sie direkt ansehen und speichern (indem Sie auf den Download-Button klicken).

      Für einige Dokumente muss zunächst Ihre E-Mail-Adresse verifiziert werden. Der Button enthält dann ein E-Mail-Symbol.

      Download via e-mail


      Der Klick auf einen solchen Button öffnet ein Online-Formular, das Sie bitte ausfüllen und abschicken. Sie können mehrere Downloads dieser Art sammeln und die Links per E-Mail erhalten, indem Sie nur ein Formular für alle gewählten Downloads ausfüllen. Ihre aktuelle Sammlung ist leer.