What are the technical standards for SCA in the RTS?

The Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA) under PSD2 establish security requirements that financial institutions, payment service providers, and businesses must adhere to for secure online transactions and fraud prevention.

SCA requires authentication using at least two independent factors from these three categories:

• Something You Know (e.g., password, PIN)
• Something You Have (e.g., smartphone, security key)
• Something You Are (e.g., fingerprint, facial recognition)

The factors must be independent, meaning that the compromise of one does not impact the security of the others.

To comply with RTS, each payment transaction must be cryptographically linked to its details:

• The authentication request must include the exact payment amount and recipient details.
• The user must explicitly approve the transaction.
• A cryptographic signature must bind the authentication process to prevent alterations.

• RTS requires that authentication data cannot be intercepted and reused.
• Cryptographic mechanisms must prevent attackers from replaying old authentication requests.
• Passkeys, which rely on public-key cryptography, naturally comply with this requirement since private keys never leave the user’s device.

• RTS specifies that authentication mechanisms must be:
  • Resistant to phishing, credential theft, and unauthorized access.
  • Encrypted and protected by hardware security modules like Secure Enclave, TPM, or TEE.
  • Generated and stored securely to prevent exposure.

Certain transactions may be exempt from SCA under RTS:

• Low-value transactions (below €30).
• Recurring payments (e.g., subscriptions).
• Trusted beneficiaries (pre-approved payees).
• Low fraud-risk payments (evaluated using transaction risk analysis, TRA).

Passkeys provide built-in compliance with RTS security standards:

• Multi-factor authentication is automatically fulfilled using biometric verification and hardware-backed security.
• No shared secrets: Unlike passwords, passkeys rely on public-key cryptography, preventing theft and credential reuse.
• Phishing resistance: Passkeys ensure authentication only happens on legitimate services, making them immune to phishing attacks.

The RTS for SCA under PSD2 sets strict security requirements to reduce fraud and enforce multi-factor authentication in online transactions. Passkeys fully align with RTS by providing phishing-resistant authentication, hardware-backed security, and cryptographic transaction protection, making them a compliant and user-friendly alternative to traditional authentication methods.