Payment Service Directive (PSD2): What are the challenges for mobile security?

Posted by Roxane Suau on July 19, 2018

What is the PSD2?

The second Payment Service Directive (PSD2) and its associated Regulatory Technical Standards (RTS) have been published by the European Banking Authority and validated by the European Parliament in early 2018.

psd2-banking-industry

 

This new directive aims at harmonizing the protection of electronic payments and consumers' financial data while promoting innovation and offering better experience to users. It applies to banks, payment service providers (PSP) and any other company that handles banking data.

 

Open-banking API

The PSD2 requires European banks to develop their own open-banking APIs in order to standardize the flows between their information systems and third-party providers. The APIs of the banks will have to be ready by March 2019 in order to undergo a period of 6 months of tests during which their performances will be sifted.

  

Precise security obligations

Two complementary security principles appear among the security measures imposed by Articles 4, 7, 8 and 9 of the RTS: strong authentication and secure execution environment. 

Financial service providers, including banks, must implement authentication based on a minimum of two factors and a one-time password. In order to ensure strong authentication, the confidentiality of the code and the prevention of fraudulent access are required.

The PSD2 highlights the fact that authentication is reliable only when it is ensured that the communication can not be intercepted and that the data request sender is the user itself, and not a malware.

psd2-application-self-protection-rasp2

To ensure strong authentication, the PSD2 requires to secure the execution environment by controlling the security of users' endpoints.

 

How to secure mobile applications execution environment? 

In order to ensure the integrity of users' devices, mobile applications handling banking data and enabling financial transactions must integrate a security module that will analyze their execution environment.

Runtime Application Self-Protection (RASP) technology, available as an SDK to embed within mobile applications, provides real-time diagnostics of users’ terminal integrity and conditions access to APIs accordingly.

In the context of PSD2, which aims, among other things, at protecting highly distributed mobile applications, in-app protection is the key to the reliability of strong authentication.

 


 

Discover PRADEO SECURITY solution suite:

 

Topics: Cybersecurity