The Regulatory Technical Standards (RTS) on SCA implies that the end-customer’s identity must be verified by two or more authentication methods: Knowledge, Possession and Inherence. Each element must be independent, so that the breach of one element will not compromise the others.
Electronic remote transactions (such as payments made via mobile devices or online) are subject to an additional authorization layer to SCA — “Dynamic Linking”, which in fact requires ASPSP (e.g. banks) to add a specific Authorization Method for each remote transaction. Such authorization should include an Auth Code, which is generated based on payment amount and payee information. The Auth Codes must be provided to the end-customer via a different environment than the one through which the end-customer has initiating the payment. In essence, it means that the Authorization cannot be performed on the internet/mobile banking with payment initiation (PISP app) support otherwise, the Payment and the Authorization process would be combined in a single environment, which is prohibited by PSD2.
Generic Tokens, SMS, and non-encrypted push notifications cannot be used for Auth Code delivery as they might be read by the third parties involved in the message delivery. The RTS requires that “Dynamic Linking” information must be transmitted securely without any possibility for a third party to read or have access to this data.