An Introduction to the Regulatory Technical Standards for Strong Customer Authentication – Part 3: Achieving Transactional & Account Security

The Regulatory Technical Standards (RTS) is a supplementary directive designed to complement the Revised Payment Service Directives (PSD2), eIDAS and any other such cases where Strong Customer Authentication is required. 

In Part 1 and Part 2 of our series on the Regulatory Technical Standards, we looked at how it complements eIDAS and PSD2 respectively. RTS not only stipulates the specifics of achieving Strong Customer Authentication, but it also lays the groundwork for establishing secure communication between various parties to an online transaction.

While on the surface it may seem like the Regulatory Technical Standards on Strong Customer Authentication have been designed to target a very specific problem (that of customer authentication), they in fact comprehensively target broader transactional security in the following ways:

  • RTS allows for technologically neutral resolutions. Solution providers can choose from a variety of methods including one-time passwords, digital signatures or other cryptographically underpinned validity assertions. This allows for customization based on cost considerations and technological compatibility with other systems, as long as the minimum security criteria are met.
  • Dynamic linking of transactions with authentication codes is another RTS requirement which provides another layer of security and protection against fraud and misuse. 
  • Consumers often cite security as a primary deterrent to engaging in online payment transactions. This is obviously a hindrance to the goal of achieving a Digital Single Market and RTS provides for mechanisms to safeguard against such activities. With rapidly evolving cyber threats, transaction monitoring mechanisms are necessary to ensure that security credentials have not been lost or compromised.
  • In terms of transaction volume, retail customers obviously account for the lion’s share. But in terms of transaction value, corporate and institutional clients dominate. RTS requirements for Strong Customer Authentication are applicable to both groups and apply to natural persons as well as corporate entities. 
  • All the security in the world would be for nothing if the customer experience is not good enough for him or her to engage in the transactions in the first place. Requiring frequent intervention for recurring transactions or for very small value micro-transactions might not be desired or necessary. RTS provides exemptions for such cases.
  • RTS encourages the dynamic setting of risk levels on a transactional basis based on real-time transaction risk analysis. What this essentially means is that even low value exempted transactions might require SCA if the transaction is deemed unusual based on real time analysis. While at the same time, additional exemptions from SCA may be allowed for transactions that are deemed to be low risk. This entire mechanism is obviously dependent on the effectiveness of the real time risk analysis algorithms used.
  • In order to gauge the effectiveness of the real-time transaction risk analysis mentioned above, service providers would also be required to calculate fraud rates and report the data to the European Banking Authority (EBA) and other competent authorities.
    This means that service providers which are better at protecting their customers from fraud would be allowed more exemptions and will therefore have more leeway in designing hassle-free mechanisms. 


Although some service providers have offered reservations about RTS, there is definitely enough flexibility built-in to allow for a multitude of approaches to achieving the goal of transactional and account security. By making exemption thresholds dynamic based on actual performance, service providers with better systems and procedures will have even more options available to them. For the end users, this means better security and the assurance of certain minimum standards.

References and further reading

About the author

Ulrich Scholten is an internationally active entrepreneur and scientist. He holds a PhD in information technology and owns several patents on cloud-based sensors. His research on cloud computing is regularly published in highly rated journals and conference papers. From 2008 - 2015, he was associated research scientist at the Karlsruhe Service Research Institute (KSRI), a partnership by KIT and IBM, where he researched network effects around web-platforms together with SAP Research.

To find more blog posts related with below topics, click on one of the keywords:

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      About Utimaco's Downloads

      Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).

      For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.

      Download via e-mail


      A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.