Pursuant to Article 35(1) of RTS on SCA & CSC account servicing payment service providers, payment service providers (hereinafter: ASPSPs)  issuing card-based payment instruments, account information service providers and payment initiation service providers shall ensure that, when exchanging data by means of the internet, secure encryption is applied between the communicating parties throughout the respective communication session in order to safeguard the confidentiality and the integrity of the data, using strong and widely recognised encryption techniques.

However, in this context, the SCAr does not regulate whether payment service providers are obliged to use (adopt) only one or more of the strong and widely recognised encryption techniques (e.g. currently RSA and ECC), as indicated in the technical specification documentation of the access interface in accordance with the second subparagraph of Article 30(3) of the the RTS on SCA & CSC.

Some ASPSPs have decided not to provide all strong and widely recognized encryption techniques only RSA and this caused refused API call connections because of the use of an ECC algorithm certificate.