The tightrope the EBA is walking

Simon Rodway|25 July 2019
The tightrope the EBA is walking

The European Banking Authority (EBA) plays an extraordinarily complex role. Having to manage and regulate the financial industry means walking a tightrope between directional regulation and restrictive controls. The delivery of the revised Payment Service Directive (PSD2) and the regulatory technical standards (RTS) for strong customer authentication (SCA) has proven that this recognition is more than deserved, with the line between regulation and technical requirements being even more precarious than anyone anticipated.

On 21 June, the EBA released an opinion paper on the delivery of SCA under PSD2 to clarify the accepted solutions to SCA. In it, the EBA outlines how complying with the standard will be enforced and how the announced extension to the compliance deadline will be addressed. One take-home message from the paper is the challenge that the EBA has in trying to avoid stating what technology is acceptable and suitable for a real SCA solution. Perhaps this is a drive to be open and inclusive and avoid dictating solution choices. Or maybe it is an effort to ensure that all parties are given a chance to compete in this important arena.

Since the announcement of the SCA requirement, and even prior to this, there has been much discussion about the suitability of SMS as a vehicle for secure identification, including its susceptibility to interception. Telecommunication organizations have been trying to address the weaknesses, with options such as SIM-swap detection and number forwarding challenges, but these are not universal and still don’t address the underlying security issue. Incredibly, however, they are still seen by many as a convenient way of reaching people, but the fact remains that native SMSs do not meet the EBA’s own base requirement for SCA. 

As part of the EBA’s SCA requirement, a transaction must be communicated over a secure, encrypted channel. The statement from Article 22.2(b), which addresses identity information specifically, further clarifies that sharing and storing information cannot be performed in plain text: “PSPs shall ensure that […] personalized security credentials [and] cryptographic materials […] are not stored in plain text.” While SMSs are not a storage medium, the information is in plain text and is held/stored on an electronic device.

In addition to this, the requirements of Article 5 on the need to support dynamic linking (each SCA must be linked to a specific amount and payee) stipulate that the confidentiality and integrity of payment information needs to be protected during the authentication process to comply with PSD2. SMS is not an encrypted, secured channel; the message details sent in the SMS are in plain text, and can be easily intercepted and read by a hacker. Furthermore, if you choose to send information via SMS, you will need to limit the information contained in the SMS, otherwise you also risk falling on the wrong side of GDPR.

In short, many see SMSs as a convenient (and cost-effective) option of addressing the security and fraud challenges facing the financial industry, but because of the inherent weakness in the possession factor, the SIM card and ease of access to the mobile number, it is definitely not a state-of-the-art solution. In fact, I strongly believe that SMS one-time passwords do not meet the dynamic linking requirement, and therefore do not address the SCA specification.

You can read the EBA’s opinion on the elements of SCA and SMS OTP here. Looking for SCA advice? Read more about our solution for PSD2 compliance here: entersekt.com/solutions/psd2, or contact us at This email address is being protected from spambots. You need JavaScript enabled to view it. to speak to one of our experts.

About the author

Simon Rodway

Simon Rodway

Pre-sales solution consultant, UK

Simon Rodway is an experienced software solutions architect and software developer. Simon is tasked with supporting Entersekt’s European team in business development across the region. His extensive work experience in the information technology and software development industries, at global companies such as IBM, ensures that he can leverage a refined industry perspective in growing Entersekt’s presence in the European market.

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.