3 min read

An introduction to the Regulatory Technical Standards

An introduction to the Regulatory Technical Standards

The European Commission adopted the Delegated Regulation on Regulatory Technical Standards (RTS) in November 2017. These standards provide detailed specifications to achieve the strict security requirements for payment service providers in the EU.

The standards make reference to the PSD2 directive as well as other mechanisms for ensuring transactional security like eIDAS and trust services.

The main thrust of the RTS is as following:

  • Ensuring Strong Customer Authentication (SCA) as required under the Revised Directive on Payment Services (commonly known as PSD2). This requires the adoption of certain security elements including those provided under eIDAS.
  • Defining exemptions from SCA for specific cases based on transactional amount, risk, mode and other features. This ensures that transactions are treated appropriately based on the level of risk. Such a provision for differential treatment ensures the optimum balance between security and speed.
  • Ensuring the confidentiality and integrity of user credentials.
  • Establish open and standard communication channels between all parties - AISPs, PISPs, banks, financial institutions, payees, payers and other service providers as per PSD2. This not only ensures adequate security but also places AISPs and PISPs on the same level playing field as the financial institutions.

The idea behind all of this to provide a secure environment for payment processing and preventing financial fraud and theft. This is done through strong customer authentication and transaction monitoring to detect any instances of fraud.

Knowledge, Possession and Inherence

The elements required to ensure strong customer authentication are defined as follows in the RTS:

  • Knowledge - Something that only the user knows
  • Possession - Something that only the user possesses
  • Inherence - Something that the user is

These elements must be independent of each other so as to mitigate the risk of fraud if one of them is compromised. A combination of these elements, transmitted over a secure channel, can ensure the right level of security for financial transactions.

Qualified seals and certificates

The standards mandate the use of qualified electronic seals and qualified website authentication for communications between payment service providers. These elements are defined in detail in Annexure III and IV of the eIDAS regulation and provide the high level of security which is necessary for financial transactions.

Certificates for website authentication play a very important role in ensuring the security and integrity of online transactions. It is no surprise then that almost two-thirds of all websites use these certificates. Qualified Certificates for Website Authentication (QWAC) are a special case which have been defined under the eIDAS regulation and RTS has now made these certificates mandatory for payment related transactions.

Secure and open communication channels

PSD2 has been designed to ensure a level playing field and encourage innovation in the payments industry. Secure and open communication between financial institutions and Payment/ Account Information Service Providers is a key prerequisite to ensure fairness. The technical standards mandate the existence of at least one interface that financial institutions must provide to securely send and receive information from PISPs/ AISPs. Additionally, the level of performance and availability of this interface must match what the financial institutions provides to their users directly.


Download white paper

References and Further Reading

  • COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
  • Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

Image: EU flag, courtesy of Quinn Dombrowski, Flickr (CC BY-SA 2.0)