An Introduction to the Regulatory Technical Standards for Strong Customer Authentication – Part 3: Achieving Transactional & Account Security

The Regulatory Technical Standards (RTS) is a supplementary directive designed to complement the Revised Payment Service Directives (PSD2), eIDAS and any other such cases where Strong Customer Authentication is required. 

In Part 1 and Part 2 of our series on the Regulatory Technical Standards, we looked at how it complements eIDAS and PSD2 respectively. RTS not only stipulates the specifics of achieving Strong Customer Authentication, but it also lays the groundwork for establishing secure communication between various parties to an online transaction.

While on the surface it may seem like the Regulatory Technical Standards on Strong Customer Authentication have been designed to target a very specific problem (that of customer authentication), they in fact comprehensively target broader transactional security in the following ways:

  • RTS allows for technologically neutral resolutions. Solution providers can choose from a variety of methods including one-time passwords, digital signatures or other cryptographically underpinned validity assertions. This allows for customization based on cost considerations and technological compatibility with other systems, as long as the minimum security criteria are met.
  • Dynamic linking of transactions with authentication codes is another RTS requirement which provides another layer of security and protection against fraud and misuse. 
  • Consumers often cite security as a primary deterrent to engaging in online payment transactions. This is obviously a hindrance to the goal of achieving a Digital Single Market and RTS provides for mechanisms to safeguard against such activities. With rapidly evolving cyber threats, transaction monitoring mechanisms are necessary to ensure that security credentials have not been lost or compromised.
  • In terms of transaction volume, retail customers obviously account for the lion’s share. But in terms of transaction value, corporate and institutional clients dominate. RTS requirements for Strong Customer Authentication are applicable to both groups and apply to natural persons as well as corporate entities. 
  • All the security in the world would be for nothing if the customer experience is not good enough for him or her to engage in the transactions in the first place. Requiring frequent intervention for recurring transactions or for very small value micro-transactions might not be desired or necessary. RTS provides exemptions for such cases.
  • RTS encourages the dynamic setting of risk levels on a transactional basis based on real-time transaction risk analysis. What this essentially means is that even low value exempted transactions might require SCA if the transaction is deemed unusual based on real time analysis. While at the same time, additional exemptions from SCA may be allowed for transactions that are deemed to be low risk. This entire mechanism is obviously dependent on the effectiveness of the real time risk analysis algorithms used.
  • In order to gauge the effectiveness of the real-time transaction risk analysis mentioned above, service providers would also be required to calculate fraud rates and report the data to the European Banking Authority (EBA) and other competent authorities.
    This means that service providers which are better at protecting their customers from fraud would be allowed more exemptions and will therefore have more leeway in designing hassle-free mechanisms. 


Although some service providers have offered reservations about RTS, there is definitely enough flexibility built-in to allow for a multitude of approaches to achieving the goal of transactional and account security. By making exemption thresholds dynamic based on actual performance, service providers with better systems and procedures will have even more options available to them. For the end users, this means better security and the assurance of certain minimum standards.

References and further reading

About the author

Ulrich Scholten ist ein international tätiger Unternehmer und Wissenschaftler. Sie hat einen Doktortitel in Informationstechnologie und besitzt mehrere Patente für cloudbasierte Sensoren. Seine Forschung zum Thema Cloud Computing wird regelmäßig in renommierten Zeitschriften und Konferenzbeiträgen veröffentlicht. Von 2008 bis 2015 war er wissenschaftlicher Mitarbeiter am Karlsruher Service Research Institute (KSRI), einer Partnerschaft von KIT und IBM, wo er gemeinsam mit SAP Research Netzwerkeffekte im Zusammenhang mit Webplattformen erforschte.

To find more press releases related with below topics, click on one of the keywords:

Wie können wir Ihnen helfen?

Sprechen Sie mit einem unserer Spezialisten und erfahren Sie, wie Utimaco Sie unterstützen kann.
Sie haben zwei verschiedene Arten von Downloads ausgewählt, so dass Sie verschiedene Formulare absenden müssen, die Sie über die beiden Tabs auswählen können.

Ihre Download-Sammlung:

    Direkt nach dem Absenden des Formulars erhalten Sie die Links zu den von Ihnen ausgewählten Downloads.

    Ihre Download-Sammlung:

      Für diese Art von Dokumenten muss Ihre E-Mail Adresse verifiziert werden. Sie erhalten die Links für die von Ihnen ausgewählten Downloads per E-Mail, nachdem Sie das unten stehende Formular abgeschickt haben.

      Downloads von Utimaco

      Besuchen Sie unseren Download-Bereich und wählen Sie aus: Broschüren, Datenblätter, White-Papers und vieles mehr. 

      Fast alle können Sie direkt ansehen und speichern (indem Sie auf den Download-Button klicken).

      Für einige Dokumente muss zunächst Ihre E-Mail-Adresse verifiziert werden. Der Button enthält dann ein E-Mail-Symbol.

      Download via e-mail


      Der Klick auf einen solchen Button öffnet ein Online-Formular, das Sie bitte ausfüllen und abschicken. Sie können mehrere Downloads dieser Art sammeln und die Links per E-Mail erhalten, indem Sie nur ein Formular für alle gewählten Downloads ausfüllen. Ihre aktuelle Sammlung ist leer.