What is PSD2 audit?

PSD2 audit
Posted on Januar 2, 2021

In recent years significant progress in integrating open banking has been made in the European Union, in particular, in the framework of Directive (EU), 2015/2366 and Commission Delegated Regulation (EU) 2018/389 of 27 November 2017, which further supplemented the legal framework for the provision of payment services.

It was supplemented from the point of view of the previously mentioned open banking and the supplementation of regulatory technical standards for safer execution of transactions and greater transparency of payments.

However, the new rules for credit institutions and electronic money issuers require certain technical changes and regular audits. The basis for conducting audits is in Articles 3 and 1 of Commission Delegated Regulation (EU) 2018/389.

Solwall offers two types of PSD2 audits that are independent of each other:

  • Review of security measures according to the requirements given in Article 1 of PSD2 RTS.
  • TRA audit of transaction monitoring mechanisms for payment service providers using the strong authentication (review of methodology, model, and reported fraud rates).
PSD2 Audit

PSD2 Audit

Scope of the PSD2 audit

Security measures audit (Article 1 PSD2 RTS)

In the first part of the audit, the technical controls on the use of the strong authentication procedure (SCA) are reviewed:

  • Authentication code requirements
  • Usage of two independent elements (category of knowledge, ownership, inherence)
  • Authentication element requirements
  • Dynamic linking

In the next phase, a security audit of the confidentiality and integrity of the security features of the payment service user and the establishment of common and secure open standards for communication between payment service providers are carried out:

  • Masking of personal security features
  • Credential storage
  • Creation, transfer, and delivery of security elements
  • Renewal, termination, and deactivation of personal security elements
  • Overview of requirements for open access interfaces

TRA audit

Credit and payment institutions using strong user authentication must perform internal and external audits of the methodology, model, and risk levels. The audit is performed by a certified auditor according to the ISAE 3000 standard.

  • Review of data integrity and data capture methods.
  • Review of the algorithm for calculating the risk level
  • Documentation overview

Mandatory PSD2 implementation

The audit of security measures and the audit of TRA are carried out annually with the assistance of an expert with expertise in the field of information technology security.

The TRA audit is performed for the first time and every three years with an independent certified auditor.

As a result of the audit, a report and an assessment of the compliance of the contracting authority's security measures shall be prepared in accordance with the requirements of this Regulation. Contact us if you want to know more or arrange an introductory meeting to find out what we can do for you.


No need to pay if not satisfied.

Proven expertise

Penetration test team skills matched on relevance to your application.


The report contains detailed findings with
a mitigation plan.