PSD2 security audit and implementation of requirements from RTS on SCA in practice

This bachelor thesis is focused on the topic of PSD2 security audit and implementation of requirements arising from RTS in practice. The goals of the work are to characterize PSD2 audit and find reason for its execution, to describe phases of PSD2 audit and to answer how the requirements arising from the RTS are implemented in practice. The goal is achieved by using the case study method. The introduction part describes the structure of the work, defines the objectives and the context, which means the topic of PSD2, especially the Regulatory Technical Standards for Strong Customer Authentication (RTS SCA), which set a number of requirements that payment service providers must apply to implement security measures concerning, in particular, strong client authentication and making its clients' data available to third parties via an API (Application Programming Interface). The RTS SCA is an essential document for conducting a security audit, together with other statements and comments of EBA (European Banking Authority) that providers must follow. Compliance with the requirements contained in the RTS SCA must be checked by an independent audit, which must be performed by IT security expert. The next part describes the qualitative research method Case study, which is used in this work. The method is divided into six phases – Plan, Design, Prepare, Collect, Analyze and Share. The third part presents the results obtained by the Case study method, which means answers to the basic research questions from the second chapter, namely "How are PSD2 audits done?" and "How are the requirements arising from the RTS implemented in practice?". The last part summarizes the results of the audit, evaluates the compliance with the audit process and the extent of compliance with the requirements set out in the RTS. In the end, the fulfillment of the goals of the work is discussed.