About this Framework
PSD2 (Revised Payment Services Directive) and its Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) mandate multi-factor authentication for electronic payments, online account access and remote transactions across the EU/EEA. Payment service providers must implement SCA with independent authentication elements (knowledge, possession, inherence) and dynamic linking for card-not-present transactions. Open banking APIs (Access to Accounts — XS2A) must comply with EBA API security specifications, enabling regulated third-party payment and account information services.
Key Control Domains
Strong Customer Authentication (SCA)
Dynamic Linking for Payment Transactions
Transaction Risk Analysis (TRA) Exemptions
Open Banking API Security (XS2A)
Authentication Protocol Security
Incident Reporting & Operational Risk
Operational & Security Risk Management
Who Needs This?
- Banks and payment service providers in the EU/EEA
- E-commerce merchants accepting European card payments
- Third-party payment providers (TPPs) and fintech companies
- Open banking platform providers
- Account information service providers (AISPs)
Compliance Benefits
- EU payment regulatory compliance (legally mandatory)
- Significant reduction in payment fraud via strong authentication
- Open banking market access through XS2A rights
- Foundation for open finance and embedded payments innovation
Assessment Details
Share this Assessment
Share this permanent link with your team, clients or auditors.
https://grcopilot.app/frameworks/psd2-rts-security-compliance-assessment