An Introduction to the Regulatory Technical Standards for Strong Customer Authentication – Part 1: eIDAS
A major challenge faced by the EU in the creation of a Digital Single Market is finding the right balance between processes that can be harmonized and standardized and those that need to remain flexible to cater to the demands of the various Member States.
It is clear that eIDAS has been designed not only keeping this mind, but actually by taking it as the fundamental guiding principle during its creation.
eIDAS has been designed to allow for seamless (cross-border) operations while ensuring technological neutrality and flexibility in terms of how its minimum standards need to be met. The Regulatory Technical Standards for Strong Customer Authentication were released to supplement the PSD2 Directive and they also supplement the provisions of the eIDAS Regulation.
Main elements of the Regulatory Technical Standards
The Regulatory Technical Standards (RTS) are a Commission Delegated Regulation. They cover four broad areas:
- Defining the requirements for achieving Strong Customer Authentication (SCA) in accordance with PSD2 and eIDAS. SCA requires the verification of the user elements which relate to possession, knowledge and/ or inherence. SCA is a central element for both eIDAS and PSD2 and the Regulatory Technical Standards shed light on their appropriate usage, the need to maintain their independence from each other and other related aspects.
- Specifying the conditions for exemptions from SCA in certain specific situations. Achieving SCA obviously has a time and monetary cost associated with it, both of which will not only affect the payment service provider but the end customer as well. Therefore, there are certain conditions under which SCA may not be required – like for small amounts or recurring transactions. However, there is a dynamic element here as well and service providers are required to perform real time transaction risk analysis and insist on SCA even for exempt cases in case of an adverse alerts.
- Protecting the end user from having his or her security credentials compromised in any way. RTS specifies multiple requirements to ensure this – like masking and encrypting security credentials and adequately protecting cryptographic materials from unauthorized access.
- Establishing common standards for things like open and secure communications between various parties involved in a transaction. RTS mandates elements like session IDs, timestamps, transactional logging, ensuring traceability etc. The flow of communication between Payment/ Information Service Providers, customers and other involved parties is also a fundamental security requirement and is covered by RTS.
eIDAS and RTS
RTS mandates the use of eIDAS defined qualified certificates and seals for identification. It states that “To improve user confidence and ensure strong customer authentication, the use of electronic identification means and trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council should be taken into account, in particular with regard to notified electronic identification schemes”.
This is obviously a crucial element necessary for the smooth operation of the larger machine. The use of eIDAS enabled electronic identification means and trust services in ensuring Strong Customer Authentication makes these two directives complement each other pretty well and takes us further along the path to a Digital Single Market.