Mobile Security Blog | Pradeo

Payment Service Directive (PSD2): What are the challenges for mobile security?

Written by Roxane Suau | July 02, 2019

 

What is the PSD2?

The second Payment Service Directive (PSD2) and its associated Regulatory Technical Standards (RTS) have been published by the European Banking Authority and validated by the European Parliament in early 2018.



This directive aims at harmonizing the protection of electronic payments and consumers' financial data while promoting innovation and offering better experience to users. It applies to banks, payment service providers (PSP) and any other company that handles banking data.

 

Open-banking API

The PSD2 requires European banks to develop their own open-banking APIs in order to standardize the flows between their information systems and third-party providers. The APIs of the banks had to be ready by March 2019 in order to undergo a period of 6 months of tests during which their performances will be sifted.

  

Precise security obligations

Two complementary security principles appear among the security measures imposed by Articles 4, 7, 8 and 9 of the RTS: strong authentication and secure execution environment. 

Financial service providers, including banks, must implement authentication based on a minimum of two factors and a one-time password. In order to ensure strong authentication, the confidentiality of the code and the prevention of fraudulent access are required.

The PSD2 highlights the fact that authentication is reliable only when it is ensured that the communication can not be intercepted and that the data request sender is the user itself, and not a malware.

To ensure strong authentication, the PSD2 requires to secure the execution environment by controlling the security of users' endpoints.

 

How to secure mobile applications execution environment? 

In order to ensure the integrity of users' devices, mobile applications handling banking data and enabling financial transactions must integrate a security module that will analyze their execution environment.

Runtime Application Self-Protection (RASP) technology, available as an SDK to embed within mobile applications, provides real-time diagnostics of users’ terminal integrity and conditions access to APIs accordingly.

In the context of PSD2, which aims, among other things, at protecting highly distributed mobile applications, in-app protection is the key to the reliability of strong authentication.

 

 

Discover PRADEO SECURITY solution suite: