Is your app ready for PSD2 SCA compliance?
Tick this simple checklist to assess your app’s compliance with Strong Customer Authentication.
Are you certain that
Transactions and authentications happen in a separate secure execution environment.
YesNoWhy this is important
§9 of the RTS requires “the use of separated secure execution environments through the software installed inside the multi-purpose device”
Are you certain that
Transactions and authentications happen in a separate secure execution environment.
Why this is important
§9 of the RTS requires “the use of separated secure execution environments through the software installed inside the multi-purpose device”
How we can help
On Android we provide security through having unique one-time use of codeblocks delivered just-in-time to the device, with transaction details and all required SCA UI code. iOS is of course also supported.
Read more about it
Are you certain that
The possession / ownership of the device is verified for each use.
YesNoWhy this is important
§7 of the RTS requires that PSPs mitigate the “replication of the possession factor”. This implies that the integrity of the device must be verified
Are you certain that
The possession / ownership of the device is verified for each use.
Why this is important
§7 of the RTS requires that PSPs mitigate the “replication of the possession factor”. This implies that the integrity of the device must be verified
How we can help
We check multiple values in order to verify that the execution environment has not changed. The checks are directly linked to the secure storage, so that if an attacker manages to access the data storage they’ll not be able to decode it.
Read more about it
Multi-factor authentication: Knowledge, inherence and possession
Are you certain that
The authenticity, integrity and confidentiality of everything displayed to the user is verified.
YesNoWhy this is important
§5 of the RTS requires this for all authentication phases, including the display of transaction information.
Are you certain that
The authenticity, integrity and confidentiality of everything displayed to the user is verified.
Why this is important
§5 of the RTS requires this for all authentication phases, including the display of transaction information.
How we can help
Our trademarked «what you sign is what you see» mechanism builds user interfaces, then verifies them throughout the authentication process.
Read more about it
Are you certain that
There is a dynamic link between payment details and user identity which is kept throughout the transaction.
YesNoWhy this is important
This dynamic link is required in §5 of the RTS.
Are you certain that
There is a dynamic link between payment details and user identity which is kept throughout the transaction.
Why this is important
This dynamic link is required in §5 of the RTS.
How we can help
With Okay transaction details are transferred in obfuscated code, displayed as an invisible watermark on the user interface, and analysed server-side.
Read more about it
Are you certain that
SMS is not used for one-time-pin.
YesNoWhy this is important
Using SMS is not strong enough to prove possession, as it is not communicated securely, or protected from malware, as required by PSD2 RTS §4-5
Are you certain that
SMS is not used for one-time-pin.
Why this is important
Using SMS is not strong enough to prove possession, as it is not communicated securely, or protected from malware, as required by PSD2 RTS §4-5
How we can help
With Okay we provide an SDK that provides much stronger security than you get with SMS.
Read more about it
Are you certain that
All transaction related interactions with users are tracked and logged
YesNoWhy this is important
§72 and §73 of the PSD2 and §29 of the RTS requires the PSP to make all transactions traceable, and even transfers the liability to the PSP regarding fraud.
Are you certain that
All transaction related interactions with users are tracked and logged
Why this is important
§72 and §73 of the PSD2 and §29 of the RTS requires the PSP to make all transactions traceable, and even transfers the liability to the PSP regarding fraud.
How we can help
With Okay we can even store screenshots of what the end user exactly saw during the transaction verification. We can help you prove that the user was not fooled by malware!
Read more about it
Are you certain that
All parts of the security solution are audited and documented.
YesNoWhy this is important
RTS §3 states that “The implementation of the security measures referred to in Article 1 shall be documented, periodically tested, evaluated and audited in accordance with the applicable legal framework”.
Are you certain that
All parts of the security solution are audited and documented.
Why this is important
RTS §3 states that “The implementation of the security measures referred to in Article 1 shall be documented, periodically tested, evaluated and audited in accordance with the applicable legal framework”.
How we can help
We have performed audits with third party experts, SRC GMBH from Germany, and PROSA Security from Norway.
Read more about it
Are you certain that
You’re protected against innovative new forms of malware directly targeting your app.
YesNoWhy this is important
The §89 of the PSD2 requires that the solution should allow for protecting against “new threats to the security of electronic payments”
Are you certain that
You’re protected against innovative new forms of malware directly targeting your app.
Why this is important
The §89 of the PSD2 requires that the solution should allow for protecting against “new threats to the security of electronic payments”
How we can help
Our fundamental strategy in designing the Okay solution is that ”no device is secure”. We focus only on the sensitive part of your app, allowing us to implement much more advanced security than other solutions.