PSD2 directive and its standards
The PSD2 Directive imposes on the bank the obligation to open up and provide such access to Small Payment Institutions (small PI). However, several requirements must be fulfilled. The bank determines the identity of the TPP’s client, verifies the scope of the access he or she provides and confirms the availability of the data by a Strong Customer Authentication mechanism (SCA).
The security solutions proposed by the Polish API (the client authentication mechanism on the ASPSP Polish API) take advantage of the OAuth2 standard. However, a number of adjustments such as splitting a user redirection to the authorization address into two steps or introducing new functionality, the so-called exchange token, had been introduced.
Understanding the OAuth2 standard can be helpful when implementing the Polish API authorization mechanisms. You can read more on the analogies between standards – in an article by Grzegorz Abramczyk, IT Architect at TUATARA, on geek.justjoin.it (text in Polish).
Feel invited to read this as well as the first Grzegorz’s publication on the PSD2 directive.