3 min read

eIDAS & RTS for Strong Customer Authentication

eIDAS & RTS for Strong Customer Authentication

The Delegated Regulation on Regulatory Technical Standards (RTS) by the European Commission aims to facilitate Strong Customer Authentication (SCA) and establish secure communication channels.

These standards provide a broad and comprehensive technical framework for the implementation of customer authentication for payment services in both online and physical point-of-sale locations.

The standards also include references to the use of electronic identification and trust services as outlined in the eIDAS Regulation (Regulation (EU) No 910/2014). The eIDAS standards provide a way for customers, businesses, and public service providers to offer and receive services based on national electronic IDs. eIDAS also provides electronic signatures, timestamps, electronic seals, website authentication, and other electronic trust services, which must be used where applicable.


The eIDAS linkage

New Call-to-actionA combination of these technical standards, along with the guidelines in the PSD2 directive and the eIDAS regulation, will provide a complete and secure package to the payments industry. For example, as per the technical standards, payment providers must rely on "qualified certificates for electronic seals" as per the eIDAS regulation. The specific requirements for these certificates are defined in Annex III of the eIDAS Regulation. According to Annex IV of the eIDAS regulation, a "qualified certificate for website authentication" is also needed for RTS. This certificate must be issued by a qualified trust service provider.

The technical standards make extensive use of the authentication and identification standards outlined in detail in the eIDAS regulatory standards. This ensures that best-in-class identification and authentication tools are in place while relying on the existing infrastructure to achieve maximum cost efficiency. The effective use of the tools provided under eIDAS also means that third-party solution providers (such as Account/ Payment Information Service Providers) can also participate and offer the same level of security and protection as the primary financial institution.


Exceptions and safeguards

While establishing strong authentication is paramount in a payment system, it is also important to maintain technological neutrality. The RTS takes this into account, and rather than specifying solutions like OTP, digital signatures, or other specific cryptographic techniques, it keeps the option open as long as the security requirements are met.

This neutrality applies not only to the authentication system but to various business models for payment processors as well. For instance, low-value payments (less than EUR 30), proximity payments, and certain types of remote payments have certain exceptions in place, allowing them to operate with minimum encumbrance within the framework of the RTS. Exceptions are subject to specific thresholds in terms of amount, risk, payment method, etc.

Corporate payment systems (as opposed to retail) usually employ different protocols for authorizing payment transactions (such as physical authenticators, multi-person authentication, etc.), and RTS permits exemptions here subject to the satisfaction of the competent regional authorities.


Download white paper



References and Further Reading

  • COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
  • Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more