With implementation of the revised Payment Services Directive (PSD2), a new era of secure payments begins in the European Union. The new regulation offers enhanced customer protection against fraud, stringent liability and accountability norms, and strong customer authentication features.
PSD2 introduces electronic remote payment transactions based on dynamic linking and new types of payment services that allow customers’ accounts to be accessed via application programming interfaces (APIs).
The directive provides measures to protect the confidentiality and integrity of personalized security credentials. Banks will now be authorized to block third-party access to accounts if they detect unauthorized or fraudulent activity. At the same time, providers who fail to authenticate a transaction appropriately will now be held liable for any resulting breaches.
After PSD2, many customers may start relying on Third Party Payment service providers (TPPs) for banking transactions, making it difficult for banks to detect fraud.
By providing their APIs to TPPs, banks open up a significantly greater attack surface to potential cyber adversaries, and can no longer hide critical applications behind perimeter firewalls.
PSD2 encourages banks to embed security up front in the new systems and APIs, thus turning security into a business asset.
Creating systems with open APIs gives banks the opportunity to do things right from the start—by blocking attacks high up the stack and protecting the intelligence located on lower layers.
Make API security an integral part of PSD2 implementation and ensure that security controls for APIs are at par with digital banking.
Adopt a user-driven authentication framework that doesn’t disclose user credentials to TPPs.
Use biometric technologies for authentication, as that will not only address the PSD2 requirement for more accurate validation, but will also provide a better consumer experience.
Assess customers’ location and behavior against their usual patterns to gain a clearer view of the risks and the level of authentication required.
Follow these principles while designing APIs:
Show respect for user privacy.
Embed privacy into design and use maximum privacy as the default setting.
Maintain transparency of operations of the IT systems.
Deny access to information that isn’t absolutely necessary or that the user hasn’t agreed to share.
Strive to detect and prevent privacy-invasive events before they happen.