Blog article
See all stories »

PSD2 - The Final RTS: 10 Things You Need To Know

The wait is over. The European Banking Authority (EBA) has recently published its ‘final’ Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and common and secure communication under PSD2. PSD2 and particularly the SCA aspect has the potential to dramatically change not just the payments sector but the wider banking market and has been the subject of heated discussions and aggressive lobbying.

The market has therefore been waiting with bated breath to view and digest the finalised standards. The final RTS provides clarity on a number of ambiguities contained in the draft version and covers a great deal of ground. However, like a Christopher Nolan movie it still leaves you hanging with unanswered questions at the end.

With the document standing at more than 150 pages it can be difficult to identify the major points and key changes from the draft version. To help, here’s a distillation of the paper, covering ten points we believe the market needs to heed:

1. Banks to define their own interfaces
The RTS does not provide definitions of the interfaces needed. Luckily some industry groups (e.g. Berlin Group) have come together to define common standards, and the European Retail Payments Board (ERPB) has convened working groups to facilitate this process. It’s up to the banks to define their own interfaces, but at least they will have some de-facto standards to base them on.

2. APIs, not screen scraping
Rationale 32 says that “screen scraping will no longer be allowed”, but something that looks a lot like screen scraping is still allowed. TPPs using this interface must digitally sign the messages to identify themselves, which is at least a step forward; however, other security holes associated with screen-scaping remain. Note that if a bank provides a “dedicated” (API) interface, TPPs must use it.

3. Payment security up to the banks
It is up to the bank to authenticate their customer. Recital 14 now says that “PIS Providers have the right to rely on the authentication procedures provided” by the bank, there is no right in the opposite direction. Therefore, PISPs (Payments Initiative Service Providers) must pass control to the bank to authenticate the customer – the PISP can’t apply its own authentication, then tell the bank to “just do it”.

4. Authentication codes
Article 4.1 says that “The authentication code shall be accepted only once”. This is fine for a single payment initiation, but the RTS allows TPPs to initiate a series of payments, and to retrieve account information, with SCA applied only the first time. Presumably the original authorisation code must be presented for all subsequent accesses, but this is not compatible with the “only once” provision in 4.1.

For payment transactions, the authentication code has to be dynamically linked to the transaction details. There’s a possible gap because the amount and payee are dynamically linked, but not the payment reference. In cases where the reference determines the beneficiary, such as credit card payments, this could become a security vulnerability.

5. Exemptions from Strong Customer Authentication
This is the area of the RTS that has changed most, and has become more practical. Changes include:
• For contactless card payments, the single transaction value is raised to €50, and the option to count five consecutive non-SCA transactions has been added to provide balance to the previous impractical requirement to just accumulate payment values.
• A vital exemption is added for unattended transport and parking terminals has helpfully been included
• No SCA is required for payments to trusted beneficiaries. Comment 79 also clarifies “The exemption for trusted beneficiaries only applies to payment transactions made on an online account by the payer. The PISP cannot create a list of trusted beneficiaries.”
• The low value payment exemption is raised from €10 to €30, with a cumulative value of €100 or a cumulative count of 5, aligned to the contactless exemption

6. Real Time Fraud Detection and Prevention
Whereas the previous draft mandated real time fraud detection to prevent, detect and block fraudulent payments, the final draft allows for a more nuanced risk analysis approach, with high risk transactions being blocked for suspected fraud, and low risk transactions potentially bypassing SCA. There is also a specific approach with clearer reporting and processing procedures.

7. Sensitive payment data
The final draft still says that ASPSPs (account servicing payment service providers), effectively banks, must provide AIS with the same information from designated payment accounts and associated payment transactions made available to the payment service user when directly accessing the information, “provided that this information does not include display of sensitive payment data”. “Sensitive” is still not defined, leaving it to the bank to decide what to redact.

8. Use of eIDAS authorities
The EBA has put aside its doubts and firmly mandated the use of Digital Certificates (or “qualified certificates for electronic seals or website authentication”, as the regulation would have it) issued under Regulation 910/2014, aka eIDAS. Given the extended timeline for enforcement of the RTS – November 2018 being the earliest date, with serious discussion of April 2019 – there is still time for organizations to step up and put the required infrastructure in place to move eIDAS from dream to reality.

9. Card Not Present requires Strong Customer Authentication
Unless a card transaction falls under one of the exemptions, it must go through SCA. Vendors have rushed out solutions such as Dynamic CVV, where the CVV on the card changes regularly. Using this as one of the SCA components proves possession, which along with knowledge satisfies the ‘two-factor’ requirement. It looks like 3d-Secure 2.0 will be sufficient to allow SCA exemptions to be applied, but if the transaction is not exempt, it’s up to the issuer to drive the SCA process.

10. Trusted Execution Environments for multi-purpose devices
The previous draft specified that multi-purpose devices (mobile phones and the like) had to use a Trusted Execution Environment (TEE) for security. TEE is a well-defined, tried and tested standard, but it seems the EBA has caved into pressure from organizations lobbying for non-standard (and in some cases less secure) solutions. The RTS now mandates a ‘Secure Execution Environment’ which has no current industry definition, so mobile security effectively becomes a free for all again. Caveat emptor!

What next?
The RTS has yet to be adopted by the European Commission, so there is still an opportunity for lobbying by Member States and industry groups and organizations. Be that as it may, it’s clear that no further significant clarifications will be forthcoming from the EBA. It’s now up to banks, TPPs and other payment service providers to get on with implementation, guided by national authorities, industry groups, compliance officers and technology experts. The “access to account” services specified in PSD2 Articles 65-67 have to be available from Jan 2018, and even though the security and communications standards in the RTS do not become mandatory until the end of the “transitional” period, there’s sufficient clarity to start moving in that direction prior to the mandate.


Comments: (3)

A Finextra member
A Finextra member 30 August, 2017, 17:23Be the first to give this comment the thumbs up 0 likes

The only issue here is the meaning of the word "final". It is the final draft by the EBA. The Commission has the last word on the RTS and has already suggested significant modifications, although it is still a work in progress.

When the Commission publishes the final document it has to be approved by the Council and by the Parliament. So we are still a long way from having a final RTS. Not sooner than November '17

Tautvydas Medziukevicius
Tautvydas Medziukevicius - Swiipe - Copenhagen 21 March, 2019, 10:38Be the first to give this comment the thumbs up 0 likes

Thank you for the article, it seems very fascinating. however, my belief is that you have misinterpreted the RTS with the point 3. RTS states that PIS Providers have the right to rely on the authentication procedures provided by the ASPSP to the user and in such cases, the authentication procedure will remain fully in the sphere of competence of the ASPSP.

This part only bears the meaning that there is an extra right for the PISPs to use the SCA provided by the banks. It does not state anything about the PISPs not being to have their SCA mechanism. There would be no point of having PISPs if they would have the only way of referring to banks for initiating the payment service, doing something they were created to do.

A Finextra member
A Finextra member 22 March, 2019, 08:12Be the first to give this comment the thumbs up 0 likes

Tautyvidas, be aware that this is an old article. As I had predicted, the Commission ammended the RTS from the EBA and many of the conclussions are no longer valid. Actually and in hindsight, I was even spot-on with the dates. The commission published the RTS in November and it was approved by the Parliament in February!

If you want to check the real final version it's here:

Now hiring