--- url: 'https://www.corbado.com/faq/sca-rts-technical-standards' title: 'What are the technical standards for SCA in the RTS?' description: 'The Regulatory Technical Standards (RTS) for SCA under PSD2 define strict security requirements for multi-factor authentication in online payments.' lang: 'en' keywords: ' SCA RTS, PSD2 RTS' --- # What are the technical standards for SCA in the RTS? ## What Are the Technical Standards for SCA in the RTS? The **Regulatory Technical Standards (RTS)** for **Strong Customer Authentication (SCA)** under **PSD2** establish security requirements that **financial institutions, payment service providers, and businesses** must adhere to for **secure online transactions and fraud prevention**. ## Key RTS Requirements for SCA Compliance ### 1. Multi-Factor Authentication (MFA) SCA requires authentication using **at least two independent factors** from these three categories: - **Something You Know** (e.g., password, PIN) - **Something You Have** (e.g., smartphone, [security key](https://www.corbado.com/glossary/security-key)) - **Something You Are** (e.g., fingerprint, facial recognition) The factors must be **independent**, meaning that the compromise of one does not impact the security of the others. ### 2. Dynamic Linking for Payment Transactions To comply with RTS, **each payment transaction must be cryptographically linked to its details**: - The authentication request must include **the exact payment amount and recipient details**. - The user must explicitly approve the transaction. - A cryptographic signature must bind the authentication process to prevent alterations. ### 3. Protection Against Replay Attacks - RTS requires that authentication data cannot be **intercepted and reused**. - Cryptographic mechanisms must prevent attackers from **replaying old authentication requests**. - **Passkeys**, which rely on **public-key cryptography**, naturally comply with this requirement since **private keys never leave the user’s device**. ### 4. Secure Authentication Elements - RTS specifies that authentication mechanisms must be: - **Resistant to phishing, credential theft, and unauthorized access**. - **Encrypted and protected by hardware security modules** like [Secure Enclave](https://www.corbado.com/glossary/secure-enclave), TPM, or TEE. - **Generated and stored securely to prevent exposure**. ### 5. Exemptions for Low-Risk Transactions Certain transactions may be exempt from SCA under RTS: - **Low-value transactions** (below €30). - **Recurring payments** (e.g., subscriptions). - **Trusted beneficiaries** (pre-approved payees). - **Low fraud-risk payments** (evaluated using transaction risk analysis, TRA). ## How Do Passkeys Align with RTS? Passkeys provide **built-in compliance** with RTS security standards: - **Multi-factor authentication** is automatically fulfilled using **biometric verification and hardware-backed security**. - **No shared secrets**: Unlike passwords, passkeys rely on **public-key cryptography**, preventing theft and credential reuse. - **Phishing resistance**: Passkeys ensure authentication **only happens on legitimate services**, making them immune to [phishing](https://www.corbado.com/glossary/phishing) attacks. ## Conclusion The **RTS for SCA under PSD2** sets **strict security requirements** to reduce fraud and enforce **multi-factor authentication** in online transactions. **Passkeys fully align** with RTS by providing **phishing-resistant authentication, hardware-backed security, and cryptographic transaction protection**, making them a **compliant and user-friendly alternative to traditional authentication methods**. ## Read the full article