Przeczytaj wpis po polsku.

The PSD2 Directive entitles third party providers (TPP) to collect information from their clients about their bank accounts in order to provide them with TPP’s services. To do so, TPP must enter into an agreement allowing access to the data with its owner and only on the basis of this agreement may request the bank to issue the data.

The PSD2 Directive imposes on the bank the obligation to open up and provide such access to Small Payment Institutions (small PI). However, several requirements must be fulfilled. The bank determines the identity of the TPP’s client, verifies the scope of the access he or she provides and confirms the availability of the data by a Strong Customer Authentication mechanism (SCA).

The security solutions proposed by the Polish API (the client authentication mechanism on the ASPSP Polish API) take advantage from the OAuth2 standard. Although, a number of adjustments such as splitting a user redirection to the authorization address into two steps or introduction of new functionality, so-called exchange token, had been introduced.

Understanding the OAuth2 standard can be helpful when implementing the Polish API authorization mechanisms. You can read more on the analogies between standards - in an article by Grzegorz Abramczyk, IT Architect at TUATARA, on  (text in Polish). Feel invited to read this as well as the first Grzegorz’s publication on the PSD2 directive.