Explained: RTS, SCA and CSC WRT PSD2 [EPC Infographic]

A couple of weeks ago the European Payments Council (EPC) released a pretty interesting infographic which covers some complex terms such as RTS, SCA, CSC – all of which are key components of PSD2. The infographic also gives a timely update on the current status of  PSD2 and the RTS rules.

Below you can see the infographic, which nicely explains the various acronyms. But after reading the PSD2 related infographic a couple of times i still needed to make some notes. Here are my notes:

1/ What the heck are these 3 letter references?

  • RTS – Regulatory Technical Standards
  • SCA – Strong Customer Authentication – Check out my earlier post about SCA
  • CSC  – Common & Secure Communication
  • WRT – Thats just me messing about and adding more 3 letter acronyms to the title than necessary – referring to With Reference To
  • PSD2 – Payments Services Directive 2

2/ PSD2 – Payment Services Directive 2

All of the various 3 letter acronyms fall under PSD2, the Second Payment Services Directive. That is the Regulation which, i have posted on quite a bit already, aims to – across the European Union:

  • Better secure payments
  • Encourage innovation and competition amongst payments service providers
  • Ensure a level playing field for all, incumbent and newcomer, payment service providers

3/ RTS – Regulatory Technical Standards

RTS are the rules that the payment service providers must adhere to in order to comply with the PSD2 Regulation. These rules cover….

4/ SCA – Strong Customer Authentication

The goal of SCA is to protect consumers across the European Union by implementing increased levels of security when accessing account details and making payments.

Strong Customer Authentication comes into effect when:

  • You access your account information online, irrespective of the channel you use (PC, Laptop, Mobile…)
  • You make a payment

Strong Customer Authentication requires Two Factor Authentication (2FA), consisting of at least 2 of the following:

  • Something you know (Pin, password)
  • Something you have (a card, mobile, token that generates a one time code)
  • Something you are (basically biometrics – your fingerprints, face…)

There are some exceptions (examples include low value transactions, payments to trusted counterparties, corporate payments) to the  implementation of the Strong Customer Authentication, which you can see in the infographic below.

5/ CSC – Common & Secure Communication

Common and Secure Communication (CSC) seeks to promote competition and innovation among payment service providers by introducing:

  • TPP’s – Third Party Payment Service Providers – these guys do not have payment accounts for their customers but can provide the following services
    • AISP – Account Information Service Provider – a one stop shop for all of your payment accounts, irrespective of where they are held
    • PISP – Payment Initiation Service Provider – dudes who can make payments on your behalf
  • ASPSP – Account Servicing Payment Service Provider – the providers of the payment accounts for customers, including banks and other payment institutions

The Regulatory Technical Standards (RTS) define how access to the customers account is handled between ASPSP’s, AISP’s and PISP’s, namely by:

  • Customer Consent – customers must give explicit consent to the AISP or PISP
  • Secure Communication – ASPSP must provide AISP’s / PISP’s a secure communication channel in order for them to access the payment account – this essentially refers to:
    • APIs – Application Programming Interfaces
      • The API must allow TPPs to provide payment initiation or account information without difficulties
    • “More secure & sophisticated screen scraping” – Banks must grant access to TPPs using a dedicated interface (think electronic banking) with:
      • Additional TPP security authentication – allowing the ASPSP to know the TPP is accessing the account
      • Formal agreement from the customer on the access and use of their account
      • Compliance with the upcoming GDPR – General Data Protection Regulation

6/ RTS Timeline

  • Nov 2017 – The final version of the RTS was adopted by the European Commission
  • 13 Jan, 2018 – PSD2 goes live, but excludes the security measures within the RTS
  • Before 27 Feb, 2018 – European Parliament to approve/reject the final version of the RTS
  • Sept 2019 – RTS come into effect across the European Union

7/ So what happens between now and September 2019?

  • The above described SCA (secure Customer Authentication) and CSC (Common & Secure Communication) rules are NOT APPLICABLE
  • TTPs authorised in their home countries should be able to offer their services (via Passporting) to countries that have not yet transposed PSD2 into their national law
  • ASPSP’s can request exceptions, i.e. to implement Secure Customer Authentication (SCA), to their national authority
Thanks for stopping by – Take a look around…!!

Leave a Reply