PSD2 Strong Customer Authentication 2018-08-16T09:15:50+00:00

PSD2 | Strong Customer Authentication

A two-factor, strong customer authentication software. Focused on user experience.

In Partnership with

Bearing Point is a partner of Innoopract

Meet your regulatory requirements
and delight your customers with PSD2TAC

Strong Customer Authentication (SCA) is becoming mandatory in the European Union for many online banking / payment tasks.

SCA carries a potential for disruption as it affects all online banking customers and is not commonly used today. Two-factor authentication, the basis for SCA, is not known to 50% of Internet users.

We offer ready to integrate components
for transaction approval

They can be made available to your online banking customers within weeks. PSD2TAC provides a future-proof solution to securing Instant Payment and the collaboration with Payment Service Providers.

Focus on end users

  • Strong customer authentication (SCA) is a challenge for users.
  • User-centric design and early user testing are key for user acceptance and broad adoption of SCA.
  • It is important to make sure not only millennials feel confident using the app.
  • 80% of the participants in user testing were impressed by the easy handling of PSD2TAC.
Secure Customer Authorization (SCA) -user centric design

EBA-RTS requirements for PSD2

Secure Customer Authorization (SCA) - requirements for PSD2
  • Protect the confidentiality and the integrity of the payment service users’ personalized security credentials.
  • Secure communication between the payment app and the payer bank.
  • Two-factor authentication: two elements from different categories – knowledge, possession, and inherence.
  • The authentication code generated shall be specific to the amount of the payment transaction and the payee agreed to by the payer.
  • Separated secure execution environments through the software installed inside the multi-purpose device.
  • Mechanisms to ensure that the software or device has not been altered by the payer or by a third party or mechanisms to mitigate the consequences of such alteration where this has taken place.

Two-factor authentication

For ensuring a fast and user-friendly transaction acceptance,
we focus on the authentication elements possession and inherence.


Strong binding of the PSD2 app component to a device by technical measures, e.g. using push messages from the platform providers. The user’s smartphone can serve as an element of the possession category for the authentication.


On today’s smartphones, the inherence category can be expressed by using fingerprints, iris scanning, or face recognition.


Passwords are a typical element of the knowledge category for the authentication. We help users to choose a strong password. For the app’s set up a strong password is necessary.

Ensuring secure communication

There are three factors for ensuring secure communication between the payment app and the bank/PISP

Transfer encryption

Certificate pinning
(the app communicates only with a server which provides the correct certificate)

Customer specific symmetrical encryption of all data

Secure Execution Environments

  • Complete control of the runtime environment by using a particularly protected virtual machine.
    • Runtime Self Protection protects apps in compromised environments.
    • Rootkit/Jailbreak detection.
    • Resource verification with cryptographic signatures.
    • Repackaging prevention.
  • Regular security testing by recognized security experts.
  • Separate secure execution environments during the initialization and the acceptance of payment on the same device are guaranteed.

Our offer

Software product development by Innoopract
Software product development by Innoopract

System components

  • App module built with secure technology for strong customer authentication.
  • Backend component for secure communication with the app using push notifications.
  • Backend component for secure key exchange, for secure storage of secret keys, and for binding the app to a device.
  • Backend component with client certificate protection for communication with banks/PISP backends.

Integration services

  • Services for the integration backend/app module.
  • Services for the individualization of the app module.
    • User interaction/branding.
    • Individual hardening of the secure environment.

Contact Us

We’ll be happy to tell you more and send you a brochure.

Contact us and learn at the source about the solution that involves state of the art cryptography, rootkit / jailbreak detection, resource verification, repackaging prevention and certificate pinning.