eIDAS & RTS for Strong Customer Authentication

The Delegated Regulation on Regulatory Technical Standards (RTS) by the European Commission aims to facilitate Strong Customer Authentication (SCA) and establish secure communication channels.

These standards provide a broad and comprehensive technical framework for the implementation of customer authentication for payment services in both online and physical point-of-sale locations.

The standards also include references to the use of electronic identification and trust services as outlined in the eIDAS Regulation (Regulation (EU) No 910/2014). The eIDAS standards provide a way for customers, businesses, and public service providers to offer and receive services based on national electronic IDs. eIDAS also provides electronic signatures, timestamps, electronic seals, website authentication, and other electronic trust services, which must be used where applicable.

The eIDAS linkage

A combination of these technical standards, along with the guidelines in the PSD2 directive and the eIDAS regulation, will provide a complete and secure package to the payments industry. For example, as per the technical standards, payment providers must rely on "qualified certificates for electronic seals" as per the eIDAS regulation. The specific requirements for these certificates are defined in Annex III of the eIDAS Regulation. According to Annex IV of the eIDAS regulation, a "qualified certificate for website authentication" is also needed for RTS. This certificate must be issued by a qualified trust service provider.

The technical standards make extensive use of the authentication and identification standards outlined in detail in the eIDAS regulatory standards. This ensures that best-in-class identification and authentication tools are in place while relying on the existing infrastructure to achieve maximum cost efficiency. The effective use of the tools provided under eIDAS also means that third-party solution providers (such as Account/ Payment Information Service Providers) can also participate and offer the same level of security and protection as the primary financial institution.

Exceptions and safeguards

While establishing strong authentication is paramount in a payment system, it is also important to maintain technological neutrality. The RTS takes this into account, and rather than specifying solutions like OTP, digital signatures, or other specific cryptographic techniques, it keeps the option open as long as the security requirements are met.

This neutrality applies not only to the authentication system but to various business models for payment processors as well. For instance, low-value payments (less than EUR 30), proximity payments, and certain types of remote payments have certain exceptions in place, allowing them to operate with minimum encumbrance within the framework of the RTS. Exceptions are subject to specific thresholds in terms of amount, risk, payment method, etc.

Corporate payment systems (as opposed to retail) usually employ different protocols for authorizing payment transactions (such as physical authenticators, multi-person authentication, etc.), and RTS permits exemptions here subject to the satisfaction of the competent regional authorities.

References and Further Reading

• COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
• Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

• Selected articles on Electronic Signing and Digital Signatures (2014-todays), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more

• The European Interoperability Framework - Implementation Strategy (2017), by the European Commission
• Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission

• REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council

• Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council

• Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
• REGULATION (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission

• DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council

• Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
• Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
• NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
• Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority