Announcing a Successful Re-evaluation of our PSD2 RTS SCA Solution
First published: 24/03/2021
updated: 21/10/2022
Erik Vasaasen
If you are working within Strong Customer Authentication (SCA) solutions, you will need to be evaluated by auditors in order to stay up to date and within regulation compliances. In this post, we talk about our own recent re-evaluation, including how we prepared and the final results.
Unpacking the Acronyms
The PSD2 is the latest version of the EU’s Payment Service Directive, which regulates payments and payment service providers across the EU and EEA. The RTS is the Regulatory Technical Standards, where the SCA is the standard for Strong Customer Authentication.
Legal Requirements According to the RTS
In Article 3 of the RTS, compliance requirements are stated as such:
The implementation of the security measures referred to in Article 1 shall be documented, periodically tested, evaluated and audited in accordance with the applicable legal framework of the payment service provider by auditors with expertise in IT security and payments and operationally independent within or from the payment service provider.
In practice, this means that payment service providers are required to ask their vendors if the solutions they offer have been recently audited. Since payment providers are reviewed at least every three years, it means that vendors like Okay should try to be as up to date as possible with their evaluations.
An even closer reading of the RTS shows that there are a number of requirements related to an audit. For example, you should be prepared to document any cryptographic processes in detail, and any known threats should also be evaluated.
Okay’s Evaluation
In preparation for our very own evaluation, Okay started off by cooperating with an expert on security analysis, PROSA Security. PROSA creates tools that enable formal proofs of integrity, authenticity, and confidentiality of protocols and complex computer systems.
The tools can also do automatic and semi-automatic attack simulations. This allowed us to easily see what would happen during certain situations, such as a partial man-in-the-middle attack.
In addition to the tools, PROSA also helped us through the “PROSA process”, which is used for creating a model of the software solution. This includes formalising security requirements, analysing threats, and creating a complete risk analysis.
Findings
After completing the risk analysis, the result comes in the form of a report that gets passed on and analysed by an accredited evaluation institute. In our case, it was SRC Gmbh. The end result was a successful evaluation that clearly showed which articles of the RTS we are able to offer support on.
To quote the final report from the evaluation:
Okay AS makes use of industry wide accepted best practices in its design and use of technology, especially in cryptographically securing and authenticating its credentials and its client-server communication. Therefore, Okay Secure Platform can be considered a state-of–the-art solution protecting against both known forms of attacks and innovative future malware attacks.
Conclusion
Performing a security evaluation and doing penetration testing can be challenging, as products are still evolving while the evaluation is taking place. And of course, spending time on the required documentation can be hard to balance with the time needed to deliver on customer requirements. However, it is nonetheless important. Why? By using the evaluation to help uncover issues and design challenges, it proves to your customers that the security your solution provides is well tested and strong.
If you’re interested in talking about evaluations and security issues, please reach out to us at hello@okaythis.com.