3 min read

PSD2 & the Technical Standards for Strong Customer Authentication

PSD2 & the Technical Standards for Strong Customer Authentication

The 2015 Revised Directive on Payment Services (also known as PSD2) lays the foundation for safe and secure payments throughout the European Union. PSD2 places a substantial emphasis on ensuring that adequate safeguards are put in place to prevent fraud and other unauthorized use of payment mechanisms.

The Delegated Regulation on Regulatory Technical Standards (RTS) adopted by the European Commission in 2017 outlines the specific requirements for ensuring strong customer authentication and other necessary security measures for such transactions. The RTS document describes the protocols that must be implemented to protect customer information's security and confidentiality and ensure secure and open communication throughout the payment process.


Creating a level playing field

There are various business models currently in use in the payments industry. All of these models co-exist and cater to specific niches of the market. For example, some models might be suited for micro-transactions, while others might be more cost-effective for cross-border payments. In addition to business models, there are also various technologies and protocols, each of which offers different advantages to consumers. Since the goal of PSD2 was to increase competition, fair play, and innovation in the payments industry, the new technical standards have been designed to do the same.

The technical specifications within Regulatory Technical Standards (RTS) are designed to be technology and business-model neutral. Certain exemptions exist for remote, proximity, low-value payments and transaction risk analysis. These ensure that the payment infrastructure is not overburdened while maintaining industry-leading security.

New Call-to-action


Ensuring Strong Customer Authentication

The Regulatory Technical Standards specify various elements to ensure Strong Customer Authentication as required under PSD2. Secure communication between banks, financial institutions, accounts, and Payment Information Service providers (AISPs and PISPSs) is perhaps the most important requirement of PSD2, covered under RTS. The standards mandate that financial institutions define transparent KPIs (Key Performance Indicators) and service level targets for their payment interface.

RTS defines, in detail, the requirements for strong customer authentication. eIDAS also plays a key role in online platforms' electronic identification and authentication via qualified certificates. Other elements include an authentication code that is secure and cannot be forged, dynamic linking of the code with a specific transaction, and other risk mitigation techniques.


Risk Analysis and Monitoring

In order to keep the process dynamic and prevent the system and end-users from an excessive burden, low-risk transactions are allowed certain exemptions. The exact criteria to define a transaction as low risk are stipulated in the standards as well and include things like fraud rate for that type of transaction, transaction threshold value, real-time analysis of user location, spending behavior, and so on. This risk analysis adds an additional layer of control and incentivizes the proper use of risk monitoring tools to keep the payment backbone operating at maximum efficiency.


Download white paper



References and Further Reading

  • COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
  • Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

Image: The European flag, courtesy of Rock Cohen, Flickr (CC BY-SA 2.0)