Okay LogoOkay Logo

Is your app ready for PSD2 SCA compliance?

Tick this simple checklist to assess your app’s compliance with Strong Customer Authentication.

5 Min estimated to complete checklist

PSD2 Checklist illustration
1

Are you certain that

Transactions and authentications happen in a separate secure execution environment.

Yes
No

Why this is important

§9 of the RTS requires “the use of separated secure execution environments through the software installed inside the multi-purpose device”

How we can help

On Android we provide security through having unique one-time use of codeblocks delivered just-in-time to the device, with transaction details and all required SCA UI code. iOS is of course also supported.

2

Are you certain that

The possession / ownership of the device is verified for each use.

Yes
No

Why this is important

§7 of the RTS requires that PSPs mitigate the “replication of the possession factor”. This implies that the integrity of the device must be verified

How we can help

We check multiple values in order to verify that the execution environment has not changed. The checks are directly linked to the secure storage, so that if an attacker manages to access the data storage they’ll not be able to decode it.

3

Are you certain that

The authenticity, integrity and confidentiality of everything displayed to the user is verified.

Yes
No

Why this is important

§5 of the RTS requires this for all authentication phases, including the display of transaction information.

How we can help

Our trademarked «what you sign is what you see» mechanism builds user interfaces, then verifies them throughout the authentication process.

4

Are you certain that

There is a dynamic link between payment details and user identity which is kept throughout the transaction.

Yes
No

Why this is important

This dynamic link is required in §5 of the RTS.

How we can help

With Okay transaction details are transferred in obfuscated code, displayed as an invisible watermark on the user interface, and analysed server-side.

Read more about it

okaythis.com/product

5

Are you certain that

SMS is not used for one-time-pin.

Yes
No

Why this is important

Using SMS is not strong enough to prove possession, as it is not communicated securely, or protected from malware, as required by PSD2 RTS §4-5

How we can help

With Okay we provide an SDK that provides much stronger security than you get with SMS.

6

Are you certain that

All transaction related interactions with users are tracked and logged

Yes
No

Why this is important

§72 and §73 of the PSD2 and §29 of the RTS requires the PSP to make all transactions traceable, and even transfers the liability to the PSP regarding fraud.

How we can help

With Okay we can even store screenshots of what the end user exactly saw during the transaction verification. We can help you prove that the user was not fooled by malware!

7

Are you certain that

All parts of the security solution are audited and documented.

Yes
No

Why this is important

RTS §3 states that “The implementation of the security measures referred to in Article 1 shall be documented, periodically tested, evaluated and audited in accordance with the applicable legal framework”.

How we can help

We have performed audits with third party experts, SRC GMBH from Germany, and PROSA Security from Norway.

8

Are you certain that

You’re protected against innovative new forms of malware directly targeting your app.

Yes
No

Why this is important

The §89 of the PSD2 requires that the solution should allow for protecting against “new threats to the security of electronic payments”

How we can help

Our fundamental strategy in designing the Okay solution is that ”no device is secure”. We focus only on the sensitive part of your app, allowing us to implement much more advanced security than other solutions.

Checklist not completed

You have only checked 0/8