Last November saw the adoption of the Delegated Regulation on Regulatory Technical Standards (RTS) by the European Commission. The objective of this regulation is to provide for Strong Customer Authentication (SCA) and establish secure channels of communications.

These standards provide a broad and comprehensive technical framework for the implementation of customer authentication for payment services in both online and physical point-of-sale locations.

The standards also reference the use of electronic identification and trust services as set out in the eIDAS Regulation (Regulation (EU) No 910/2014). The eIDAS standards provide a way for customers, businesses and public service providers to offer and receive services based on national electronic IDs. eIDAS also provides for electronic signatures, timestamps, electronic seals, website authentication and other electronic trust services which are to be used where appropriate.

The eIDAS linkage

New Call-to-actionA combination of these technical standards, along with the guidelines in the PSD2 directive and the eIDAS regulation will provide a complete and secure package to the payments industry. For example, as per the technical standards, payment providers must rely on "qualified certificates for electronic seals" as per the eIDAS regulation. The specific requirements for these certificates are defined in Annex III of the eIDAS Regulation.  RTS also requires a "qualified certificate for website authentication" which must be issued by a qualified trust service provider in accordance with Annex IV of the eIDAS regulation.

The technical standards are thus making full use of the authentication and identification standards defined in detail in the eIDAS regulatory standards. This ensures that best in class identification and authentication tools are in place while relying on the existing infrastructure to achieve maximum cost efficiency. The effective use of the tools provided under eIDAS also means that third party solution providers (like Account/ Payment Information Service Providers) can also participate and offer the same level of security and protection as the primary financial institution.

Exceptions and safeguards

While establishing strong authentication is paramount in a payments system, it is also important to maintain technological neutrality. The RTS takes this into account and rather than specifying solutions like OTP, digital signatures or other specific cryptographic techniques, it keeps the option open as long as the security requirements are met.

This neutrality applies not only to the authentication system but to various business models for payment processors as well. For example, low value payments (less than EUR 30), proximity payments, certain types of remote payments have certain exceptions in place which allows them to operate with minimum encumbrance within the framework of the RTS. Exceptions are subject to specific thresholds in terms of amount, risk, payment method and so on.

Corporate payment systems (as opposed to retail) usually employ different protocols for authorizing payments transactions (like physical authenticators, multi-person authentication etc.) and RTS allows exemptions here subject to the satisfaction of the competent regional authorities.

 

Download white paper

References and Further Reading

  • COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
  • Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.