Cert. No.
CY-NTF-003
Flag State
CY
Issued
2026-05-26
Rev.
Α
03
Entry 03 of 08 · Security
RegisteredSMSPush

PSD2 SCA: low-latency OTP delivery for online banking in Cyprus

Under PSD2 Strong Customer Authentication, every online payment requires two independent factors (something you know + something you have / are). In Cyprus, „you have" is mostly SMS OTP — although push OTP via banks' mobile apps is gaining ground. 4notify routes OTPs over premium tier-1 with P50 latency <3s per carrier (Cyta, Epic, PrimeTel, Cablenet) and a full audit trail.

Context

An OTP that doesn't reach the user within 30 seconds causes transaction abandonment and often a switch to a competitor. At peak hours (payroll, end-of-month transfers), delays compound if routing is over a grey route.

Legal framework
Καν. (ΕΕ) 2018/389 — RTS PSD2 SCA

Two independent factors required; every failure must be logged.

Ν. 31(Ι)/2018 — PSD2 Κύπρου, άρθρο 97

Duty of provider to enforce SCA for remote electronic transactions.

EBA Opinion EBA-Op-2019-06

Guidance on equivalent SCA factors and secure OTP delivery.

Voyage
01

Premium tier-1 routing

All OTPs are routed over a tier-1 premium gateway — never a grey route. The alphanumeric sender ID („YourBank") is preserved and DLRs return within <2s.

02

Automatic carrier detection

HLR lookup before dispatch classifies the number into Cyta / Epic / PrimeTel / Cablenet. Per-carrier latency statistics show up on the dashboard.

03

TTL and one-time use

Each OTP is issued with a 5-minute TTL and one-time use. After successful use or expiry, the token is marked „consumed" in the vault.

04

Push fallback for bank mobile apps

If the user has the bank's official app installed, the OTP is sent as an encrypted push first. SMS routes only if push fails.

Code
bash
curl -X POST https://api.4notify.net/v1/otp \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "purpose": "psd2_sca",
    "recipient": {
      "phone": "+35799123456",
      "push_token": "fcm:abc..."
    },
    "session_id": "TRX-2026-39402",
    "transaction": {
      "amount": 245.00,
      "currency": "EUR",
      "merchant": "PUBLIC SUPERMARKET LIMASSOL"
    },
    "ttl_seconds": 300,
    "channels_priority": ["push", "sms"]
  }'
Sample message
SMS

YourBank: Your code: 482917. PUBLIC LIMASSOL €245.00. Never share. Expires in 5 minutes.

Pre-departure checks
  • Local P50/P95/P99 latency benchmarks per carrier
  • DST switch testing — Cyprus is on EEST/EET
  • Push fallback active for Cyprus's top 4 banks
  • Log SCA failures into the bank's audit log
  • Social-engineering safeguard: never send OTP without an active session
What 4notify does differently

Premium tier-1 routing on all 4 Cyprus carriers with P95 <6s and a live per-carrier dashboard — the compliance lane is never bypassed.

FAQ
What is the P50/P95 latency in Cyprus?

P50: 2.4s (Cyta), 2.7s (Epic), 2.9s (PrimeTel), 3.1s (Cablenet). P95: <6s on all carriers. Push fallback <1s for app users.

Is TOTP supported for offline OTP?

Not as a service — it's the bank's responsibility. 4notify is a delivery layer, not a TOTP generator. It can however send the initial enrolment QR.

Start free

14 days, no card. Support in Greek and English.

Other registry entries