Compliance with the PSD2 requirements regarding strong customer authentication

Everyone needs a bank account. Of course, only the authorized person may access the bank account. But how do I reliably recognize the beneficiary ? This works by means of strong customer authentication. Through using the key elements knowledge and ownership, customer authentication usually becomes strong already.

For example: In addition to owning the counterfeit-proof chip card, the bank customer must know the associated PIN. Access to the account is only possible with both elements.

Contact person

Dagmar Schoppe

Further information

PSD2

In December 2015, the European Commission adopted a new Payment Service Directive 2 (PSD2). The PSD2 must be implemented into national law in the individual EU member states by January 2018. In Germany, the PSD2 is implemented through adjustments to the Act on the Supervision of Payment Services (ZAG) and the relevant articles of the German Civil Code.

In addition to requirements for the approval of payment service providers, the PSD2 also contains requirements that must be taken into account regarding the design and operation of technical applications of an account-keeping institution. In particular, security features of the payment applications play an important role. These include security requirements for the use of authentication solutions, namely the requirements for strong customer authentication, transaction analysis and the security of personalization characteristics.

Regulatory Technical Standard (RTS)

A particular feature of the PSD2 is that the requirements mentioned in Article 98 of the PSD2 are further specified by a Regulatory Technical Standard (RTS). The EBA (European Banking Authority) is responsible for drafting corresponding drafts in cooperation with the ECB (European Central Bank) and to submit them to the European Commission. After the adoption of an RTS by the European Commission, it becomes a binding component of PSD2. Currently, the RTS is available as a final draft of the European Commission. Taking the requirements of the RTS into consideration, solution providers are now facing the challenge of proving compliance with the requirements of the RTS to the institutes.

How to prove compliance with the PSD2 requirements regarding authentication solutions

SRC analyzes your security solution with the objective of demonstrating the relevant requirements of the RTS. For this purpose, documents are submitted to SRC in order to implement the security solution. The examination takes place on a conceptual and, where necessary, on a design level, too. Upon request, SRC includes a code analysis. In the interpretation of the requirements, SRC’s experiences from projects with other partners are integrated.

The subject matter of the audit is the authentication medium, e.g. an app interacting with the server in the background system. The focus here is not only on “man-in-the-middle attacks”, but also on direct attacks on the components used, e.g. on the smartphone in case of an app solution.

If required, SRC evaluates if the safety mechanisms represent the technical standard.

SRC summarizes the results in a report.

Certifications

Topics

Compliance within banks

Find out about the topic areas that we support with our service.

Compliance with the PSD2 require­ments regarding strong customer authentication

Compliance with the PSD2 require­ments regarding strong customer authentication

Contact person

Dagmar Schoppe

Further infor­mation

Certi­fi­ca­tions

Topics

Compliance within banks

Security for your Inbox

SRC Newsletter

Address

Articles from SRC

Compliance with the PSD2 requirements regarding strong customer authentication

Compliance with the PSD2 requirements regarding strong customer authentication

Further information

Certifications