Governance Intelligence · Framework

PSD2 SCA

Strong Customer Authentication for EU mobile banking

EU RegulationStrong AuthDynamic Linking

PSD2 Regulatory Technical Standards on Strong Customer Authentication and dynamic linking — the EU mobile banking authentication baseline.

Auth Factors

Knowledge, Possession, Inherence

Mandatory

Dynamic Linking

Per payment

Exemptions

Risk-based

EU + UK

Mapped Mandates

FCA aligned

Upload APK →Book Enterprise Demo →Compare Frameworks →

Governance Snapshot

PSD2 • live APK index

Live

Category coverage

PSD2-K

85%

Knowledge Factor

PSD2-P

78%

Possession Factor

PSD2-I

80%

Inherence Factor

PSD2-DL

72%

Dynamic Linking

PSD2-TRA

64%

Transaction Risk Analysis

Overview

Security Goals

Why governance, AppSec and audit teams adopt this framework.

Strong Authentication

Two-of-three independent factors per session.

Dynamic Linking

Bind authentication to amount + payee.

Fraud-Risk Exemptions

Apply TRA exemptions safely.

Secure Execution Env

Protect auth secrets in isolated env.

Control Domains

Framework Control Domains

Per-domain coverage, common failures and APK evidence — expand each for detail.

5 control domains · 76% avg coverage

Knowledge Factor

PSD2-K

Something only the user knows — PIN, password, response to challenge.

Coverage85%

Checks

✓Strong PIN policy
✓Lockout on brute force
✓No knowledge factor stored in app

Common Failures

✗4-digit PIN with no lockout
✗PIN cached in plaintext

APK Finding Examples

PIN regex matched in cache

Recommended SDKs

Android KeystoreiOS Secure Enclave

View Remediation →

Possession Factor

PSD2-P

Something only the user possesses — device, hardware token, mobile SIM.

Coverage78%

Checks

✓Device binding
✓Secure element / TEE backed
✓OTP delivery hardened

Common Failures

✗Possession factor cloneable
✗OTP delivered to email-only

APK Finding Examples

Device binding bypassable

Recommended SDKs

FIDO2ApproovDUO

View Remediation →

Inherence Factor

PSD2-I

Something the user is — biometric (fingerprint, face) via secure platform APIs.

Coverage80%

Checks

✓Biometric via OS APIs
✓Liveness on high-risk
✓No biometric template in app

Common Failures

✗Biometric stored in sandbox
✗No liveness on transfers

APK Finding Examples

Biometric template leaks

Recommended SDKs

Android BiometricPromptiOS LocalAuthenticationiProov

View Remediation →

Dynamic Linking

PSD2-DL

Authentication code must be specific to the amount and payee — visible to the user before approval.

Coverage72%

Checks

✓Amount + payee bound
✓User-visible confirmation
✓Server-side enforcement

Common Failures

✗Generic OTP for all transactions
✗No payee binding

APK Finding Examples

OTP not bound to transaction

Recommended SDKs

TLS + signed transactionWSO2 ID

View Remediation →

Transaction Risk Analysis

PSD2-TRA

Risk-based exemptions require server-side scoring — fraud rate must remain within RTS thresholds.

Coverage64%

Checks

✓Real-time risk engine
✓Fraud rate monitoring
✓Exemption audit trail

Common Failures

✗TRA without monitoring
✗Exemption fraud above threshold

APK Finding Examples

Client-side exemption decisions

Recommended SDKs

FeaturespaceThreatMetrixFalcon

View Remediation →

Banking Implications

Why PSD2 SCA matters for Mobile Banking

Recommended posture by app type and the regulators that reference this framework.

critical risk

Retail EU Banking

All in-scope payments require SCA.

Recommended

Full SCA + Dynamic Linking

critical risk

PISP Apps

Third-party provider compliance.

Recommended

PSD2 + APIs

high risk

AISP Apps

Account information services.

Recommended

SCA on consent

high risk

Open Banking

API certificate identity.

Recommended

PSD2 + eIDAS QSeal

Regulator Mapping

Where PSD2 SCA is referenced

RequiredRecommendedReferencedInformational

UAE CB

referenced

GCC

SAMA

referenced

GCC

MAS TRM

recommended

APAC

RBI

referenced

APAC

APRA CPS 234

referenced

APAC

FFIEC

referenced

Americas

PSD2 / EBA

recommended

DORA

recommended

Cross Mapping

Framework Coverage Matrix

How this framework maps across MASVS, OWASP Mobile, PCI DSS, PSD2, DORA and central-bank guidance.

CoveredPartialNot coveredN/A

Control	MASVS	OWASP Mobile	PCI DSS Mobile	PSD2	DORA	UAE CB
Strong Auth	●	●	●	●	●	●
Dynamic Linking	◐	◐	○	●	○	◐
Biometric Hardening	●	●	◐	●	◐	●
TRA	○	○	○	●	◐	○

Live APK Governance

How MobAIsec evaluates PSD2 SCA

Sample governance report from a recent assessment — coverage, gaps and top violations.

Live preview

Critical gaps2

High gaps3

Medium gaps5

Coverage heatmap

Knowledge

85%

Possession

78%

Inherence

80%

Dyn. Link

72%

TRA

64%

Top Violations

Run on your APK →

Dynamic linking missing on transfer
PSD2-DL
critical
Biometric template cached in sandbox
PSD2-I
critical
OTP not bound to amount + payee
PSD2-DL
high
TRA exemption fraud above threshold
PSD2-TRA
high

Upload your APK to receive a PSD2 SCA assessment

Get coverage score, missing controls, severity-weighted gaps and a board-ready PDF.

Upload APK for PSD2 SCA Assessment →

Threat Intelligence

Threats this framework defends against

Curated mobile attack patterns aligned to the controls above.

All threat intel →

Threat

Root / Jailbreak detection

Prevent rooted-device fraud and runtime privilege abuse.

Read intel →

Threat

SSL pinning bypass

Detect and resist Frida / proxy interception of TLS.

Read intel →

Threat

Overlay attacks

Block credential and OTP theft from malicious overlays.

Read intel →

Threat

Runtime tampering

Detect APK repackaging, dynamic patching and hooking.

Read intel →

Threat

Frida detection

Prevent instrumentation-based runtime manipulation.

Read intel →

Country Mandates

Mandates using PSD2 SCA

Country regulators that reference this framework — usage confidence and mapped control count.

Browse all jurisdictions →

UAE

CBUAE

38 controls

Usage confidence92%

View country requirements →

Singapore

MAS

42 controls

Usage confidence96%

View country requirements →

India

RBI

34 controls

Usage confidence88%

View country requirements →

European Union

EBA / PSD2

46 controls

Usage confidence94%

View country requirements →

United Kingdom

FCA / PRA

36 controls

Usage confidence89%

View country requirements →

Saudi Arabia

SAMA

32 controls

Usage confidence86%

View country requirements →

Trust & Adoption

Used across banking security programs

Mobile banking security teams use this framework to establish secure release gates and runtime baselines.

EU banks

All in-scope EU mobile banking apps implement SCA.

UK FCA

FCA aligns mobile banking SCA expectations with PSD2 RTS.

FAQ

Frequently asked questions

For BFSI CISOs, AppSec, audit and governance teams.

Is SCA required for all mobile banking actions?

SCA is required for account access (after 90 days) and electronic payments, with explicit RTS exemptions for low-value, trusted-beneficiary and recurring transactions.

What is dynamic linking?

Dynamic linking binds the authentication code to a specific amount and payee, visible to the user before approval. It is mandatory for PSD2-scoped payments.

How can MobAIsec verify SCA implementation?

MobAIsec inspects auth flows, biometric handling and binding signals in the APK, then maps findings to PSD2 RTS articles for audit-ready evidence.

Start now

Ready to assess your APK against PSD2 SCA?

Upload your Android banking app and receive a complete enterprise governance assessment in minutes.

✓Framework coverage score
✓Missing controls list
✓Fraud readiness signal
✓Executive PDF report
✓Banking mandate mapping
✓Remediation guidance

Start Free APK Assessment Talk to Security Expert