What constitutes a “given period of time” as expressed in Article 4.3 (b) of the RTS on strong customer authentication and secure communication?

RTS Article 4.3 (b) states “the number of failed authentication attempts that can take place consecutively, after which the actions referred to in Article 97(1) of Directive (EU) 2015/2366 shall be temporarily or permanently blocked, shall not exceed five within a given period of time;”.

It is assumed that the goal of the requirement is to rate-limit, for example, of the brute force attacks to an acceptable level of security.

In accordance with Article 4(3)(b) of the Delegated Regulation (EU) 2018/389, payment service providers (PSPs) shall ensure that the actions referred to in Article 97(1) of Directive 2015/2366/EU (PSD2) are temporarily or permanently blocked after a number of failed authentication attempts that does not exceed five within a given period of time.

The Delegated Regulation does not specify the time period during which the failed authentication attempts referred to in Article 4(3)(b) shall take place. Therefore, it is for each PSP to decide, based on their risk assessment, the duration of this time period. The same principle applies also to determine the duration of the temporary block of the actions, referred to in Article 97(1) of PSD2, by the PSP after the maximum number of failed authentication attempts has been exceeded, or when the PSP should block these actions permanently.