An Introduction to the Regulatory Technical Standards for Strong Customer Authentication – Part 2: PSD2

The Revised Payment Service Directive (PSD2) is nothing short of revolutionary when it comes to the retail payment services industry in Europe. In fact, many of the innovative new products and services that PSD2 will indirectly create are likely to percolate to every sector of the economy.

In part 1 of this series, we had a close look at eIDAS and strong customer authentication. This sequel looks at PSD2.

It finally allows for the creation of a true platform economy in financial services which is just what was needed to kick start innovation. This is what will allow banks and financial services companies to benefit from crowd-sourced innovation which works so well in sectors like technology.

Comprehensive as it is, PSD2 is still just one piece of the puzzle. A business process has a lot of moving parts and for PSD2 to succeed, the EU has to ensure that all the supporting directives and regulations are in place as well. One example might be eIDAS which provides for the use of electronic identification and trust services across all Member States.

And when it comes to Strong Customer Authentication (which is a mandatory requirement under PSD2), it is the Regulatory Technical Standards which complete that picture.

PSD2 and RTS

Article 97 of PSD2 covers the authentication requirements. Strong Customer Authentication (SCA) is a mandatory requirement whenever a user has to access his or her account online, initiate a transaction or perform any other remote action which has a risk of fraud or other such abuse.

There are obviously exemptions like for small value or recurring transactions because that may cause unnecessary disruption for the user. Additionally, the requirements for setting dynamic thresholds and performing real time fraud analysis mean that emerging threats/ situations can be detected in real time. 

Another important element is dynamic linking transactions to specific amounts and payees. This means, for example, that authentication codes are generated for specific amounts and specific payees only and can’t be intercepted and misused for a different, fraudulent transaction.

This is just one small example of the much larger security system that RTS and Strong Customer Authentication will enable for the industry.

Transaction Risk Analysis 

This is one of the more interesting aspects covered by the RTS. Risk analysis is nothing new and banks and other service providers do it on a real time basis as well. But with the very specific requirements laid out in the RTS, it means that risk analysis will become an elemental requirement which will have a basic minimum threshold across the EU. This not only means that the playing field will be leveled, but it also means that customers will have more choice. And even service providers will benefit because with a defined basic minimum standard, they will be able to buy off-the-shelf solutions for cheaper. 

The European Banking Authority (and other competent bodies) will also have access to the results of these risk analyses and fraud rates which highlights that the regulatory focus is just not financial health but also on cyber security. 


RTS covers a number of elements which relate to transactional security – like traceability, obligation for access interfaces, delivery of credentials etc.  But the gist of it is that it is the perfect supporting directive to an already comprehensive PSD2 and just brings in more clarity. Considering how tricky it can be to navigate complex and old directives across multiple countries, this is a welcome change.

Part 3 of this series shows how the Regulatory Technical Standards lay groundwork for transactional security. 

References and further reading

About the author

Ulrich Scholten es un empresario y científico activo a nivel internacional. Es doctor en tecnologías de la información y posee varias patentes sobre sensores basados en la nube. Sus investigaciones sobre computación en la nube se publican con regularidad en revistas y congresos de gran prestigio. De 2008 a 2015, fue investigador asociado en el Instituto de Investigación de Servicios de Karlsruhe (KSRI), una asociación de KIT e IBM, donde investigó los efectos de red en torno a las plataformas web junto con SAP Research.

To find more press releases related with below topics, click on one of the keywords:

¿En qué podemos ayudarle?

Hable con uno de nuestros especialistas y descubra cómo Utimaco puede ayudarle hoy mismo.
Ha seleccionado dos tipos diferentes de Download, por lo que necesita presentar formularios diferentes que puede seleccionar a través de las dos pestañas.

Su(s) solicitud(es) de Download:

    Al enviar el siguiente formulario, recibirá enlaces a las descargas seleccionadas.

    Su(s) solicitud(es) de Download:

      Para este tipo de documentos, es necesario verificar su dirección de correo electrónico. Recibirá los enlaces a las Download seleccionadas por correo electrónico después de enviar el siguiente formulario.

      Descargas de Utimaco

      Visite nuestra sección de descargas y seleccione recursos como folletos, fichas técnicas, libros blancos y mucho más. Puede ver y guardar casi todos ellos directamente (pulsando el botón de descarga).

      Para algunos documentos, es necesario verificar su dirección de correo electrónico. El botón contiene un icono de correo electrónico.

      Download via e-mail

      Al hacer clic en dicho botón se abre un formulario en línea que le rogamos rellene y envíe. Puede recopilar varias descargas de este tipo y recibir los enlaces por correo electrónico simplemente enviando un formulario para todas ellas. Su colección actual está vacía.