Blog, Events & News
What Is PSD2 & What Changes Does It Bring?
By Netacea / 03rd Sep 2019
If you’re not in financial services or retail, the European Union’s Second Payment Services Directive (PSD2) may have passed you by. If you are in financial services or retail, there’s a strong chance you’ve spent the last eighteen months furiously preparing for the upcoming compliance deadline.
In this blog, we’ll outline some of the changes introduced by PSD2, how the changes will affect the customer experience and what your organisation needs to do to stay secure in the new PSD2 environment.
What is PSD2?
PSD2 was implemented in 2018 to reduce the existing monopoly on customer account information and payment services while improving and standardizing security procedures for customers. Payment processers throughout the EU must comply with the directive that requires the implementation of two major changes:
- Banks must give third party providers (TPPs) such as aggregators and brokers, access to customer accounts via open APIs.
- Payment service providers must integrate secure customer authentication (SCA) to reduce the number of cyber-attacks, including credential stuffing, card cracking and account takeover.
Securing customer data is vital as, according to FCA, reports of cyber incidents at financial services firms increased by 1000% in 2018, and they expect this figure to rise with the growth in mobile payments.
When do payment providers need to be compliant?
With mere weeks to go until the original PSD2 compliance deadline of 14th September 2019, the Financial Conduct Authority (FCA) successfully secured a significant deadline extension. The FCA stepped in due to nervousness in the financial services market that the speed of innovation is outweighing the security protocols required to secure web-facing applications.
The deadline for SCA compliance now stands at March 2020, giving all payment service providers a full 18 months to get their ducks in a row.
There is still ambiguity surrounding requirements for open API implementation. So far, the lack of standardisation has increased innovation while increasing the attack surface for cybercriminals, who can now take advantage of vulnerabilities in authentication processes of websites, web apps and APIs.
How will PSD2 change the customer experience?
Many financial services organisations have already done a significant amount of work securing the ‘front end’ log in processes in preparation for SCA. Customers can no longer authenticate their account via simple user name and password combo, they must now provide two-factor authentication including biometrics, text messages and one-time codes. The challenges in this attack space are well understood and potentially malicious traffic is typically profiled and mitigated using basic methods such as IP and geo-blocking.
APIs are, however, a largely untouched territory by InfoSec teams and there is an increasing need to understand the distinction between human vs. non-human traffic to this attack vector, to make sure customers are protected from bad bot threats.
Can anyone access a bank’s API?
TPPs are subject to rigorous checks and must meet criteria stipulated by PSD2 to access open APIs. However, there is an increasing focus on innovation and maintaining a ‘frictionless’ journey and therefore inherent security risks that all those affected needs to consider. Neo banks and fintech are constantly pushing the boundaries, introducing new functionality for customers via mobile banking applications, which means automated traffic patterns will continue to change rapidly over the coming months and years as we venture further into unknown territory.
James Maude, Netacea’s Head of Threat Research, summed up the threat to API security in a recent blog for Computer Weekly:
“The problem for banks is that, even if they take every precaution to make sure that the API is secure, there are ways to attack it that are out of their control. A hacker with access to a TPP’s system could use it to scrape personal details, but it doesn’t have to be quite so direct. An improperly secured and poorly designed third-party app configured to share the bank’s data is a direct link to an API that can be exploited in a “supply chain” attack.”
PSD2 represents a huge opportunity to improve the financial services market as we know it, but it is imperative that financial services providers protect themselves and their customers from additional risk.
Secure your API layer with Netacea
To comply with PSD2, your financial services organisation must implement APIs to facilitate open banking, and you must also recognise the associated security risks.
At Netacea, we take a revolutionary approach to bot management, applying a single solution with innovative coverage across all API points of vulnerability – browser, mobile app and API server – without the need for multiple products or complex mobile SDKs.