blog-an-introduction-to-the-regulatory-technical-standards-part-1

An Introduction to the Regulatory Technical Standards for Strong Customer Authentication – Part 1: eIDAS

A major challenge faced by the EU in the creation of a Digital Single Market is finding the right balance between processes that can be harmonized and standardized and those that need to remain flexible to cater to the demands of the various Member States.

It is clear that eIDAS has been designed not only keeping this mind, but actually by taking it as the fundamental guiding principle during its creation.

eIDAS has been designed to allow for seamless (cross-border) operations while ensuring technological neutrality and flexibility in terms of how its minimum standards need to be met. The Regulatory Technical Standards for Strong Customer Authentication were released to supplement the PSD2 Directive and they also supplement the provisions of the eIDAS Regulation.

Main elements of the Regulatory Technical Standards

The Regulatory Technical Standards (RTS) are a Commission Delegated Regulation. They cover four broad areas:

  • Defining the requirements for achieving Strong Customer Authentication (SCA) in accordance with PSD2 and eIDAS. SCA requires the verification of the user elements which relate to possession, knowledge and/ or inherence. SCA is a central element for both eIDAS and PSD2 and the Regulatory Technical Standards shed light on their appropriate usage, the need to maintain their independence from each other and other related aspects. 
  • Specifying the conditions for exemptions from SCA in certain specific situations. Achieving SCA obviously has a time and monetary cost associated with it, both of which will not only affect the payment service provider but the end customer as well. Therefore, there are certain conditions under which SCA may not be required - like for small amounts or recurring transactions. However, there is a dynamic element here as well and service providers are required to perform real time transaction risk analysis and insist on SCA even for  exempt cases in case of an adverse alerts.
  • Protecting the end user from having his or her security credentials compromised in any way. RTS specifies multiple requirements to ensure this - like masking and encrypting security credentials and adequately protecting cryptographic materials from unauthorized access. 
  • Establishing common standards for things like open and secure communications between various parties involved in a transaction. RTS mandates elements like session IDs, timestamps, transactional logging, ensuring traceability etc. The flow of communication between Payment/ Information Service Providers, customers and other involved parties is also a fundamental security requirement and is covered by RTS.

eIDAS and RTS

RTS mandates the use of eIDAS defined qualified certificates and seals for identification. It states that “To improve user confidence and ensure strong customer authentication, the use of electronic identification means and trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council should be taken into account, in particular with regard to notified electronic identification schemes”. 

This is obviously a crucial element necessary for the smooth operation of the larger machine. The use of eIDAS enabled electronic identification means and trust services in ensuring Strong Customer Authentication makes these two directives complement each other pretty well and takes us further along the path to a Digital Single Market. 

References and further reading

In Part 2 and Part 3 of our series on the Regulatory Technical Standards, we looked at how it complements PSD2 and Achieving Transactional & Account Security respectively.

About the author

Ulrich Scholten es un empresario y científico activo a nivel internacional. Es doctor en tecnologías de la información y posee varias patentes sobre sensores basados en la nube. Sus investigaciones sobre computación en la nube se publican con regularidad en revistas y congresos de gran prestigio. De 2008 a 2015, fue investigador asociado en el Instituto de Investigación de Servicios de Karlsruhe (KSRI), una asociación de KIT e IBM, donde investigó los efectos de red en torno a las plataformas web junto con SAP Research.

To find more press releases related with below topics, click on one of the keywords:

¿En qué podemos ayudarle?

Hable con uno de nuestros especialistas y descubra cómo Utimaco puede ayudarle hoy mismo.
Ha seleccionado dos tipos diferentes de Download, por lo que necesita presentar formularios diferentes que puede seleccionar a través de las dos pestañas.

Su(s) solicitud(es) de Download:

    Al enviar el siguiente formulario, recibirá enlaces a las descargas seleccionadas.

    Su(s) solicitud(es) de Download:

      Para este tipo de documentos, es necesario verificar su dirección de correo electrónico. Recibirá los enlaces a las Download seleccionadas por correo electrónico después de enviar el siguiente formulario.

      Descargas de Utimaco

      Visite nuestra sección de descargas y seleccione recursos como folletos, fichas técnicas, libros blancos y mucho más. Puede ver y guardar casi todos ellos directamente (pulsando el botón de descarga).

      Para algunos documentos, es necesario verificar su dirección de correo electrónico. El botón contiene un icono de correo electrónico.

      Download via e-mail

      Al hacer clic en dicho botón se abre un formulario en línea que le rogamos rellene y envíe. Puede recopilar varias descargas de este tipo y recibir los enlaces por correo electrónico simplemente enviando un formulario para todas ellas. Su colección actual está vacía.