The impact of the Revised Directive on Payment Services (PSD2) on security
The Revised Directive on Payment Services (PSD2) has a wide range of objectives, which impacts nearly all financial institutions and many merchants. Fundamentally, as long as you are located in Europe, or do transactions with customers located in Europe, the PSD2 will have some kind of impact.
The directive itself is not particularly interesting from a practical security point of view, but the official interpretation as described in the Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 (RTS) should be read by all security professionals who are connected in any way to the payment industry.
The Directive European Parliament and of the Council is shrouded in bureaucratic language, but the goals as stated in the FAQ are: to contribute to a more integrated and efficient European payments market; (ii) to further level the playing field for payment service providers by including new players; (iii) to make payments safer and more secure; and (iv) to enhance protection for European consumers and businesses. The impact for non-European companies comes from the one-leg principle, which makes the directive binding also for non-European companies.
PSD2 and Okay
We at Okay make software which helps you deal with the technical challenges inherent in the requirements that spring from the PSD2 and the accompanying RTS. To help you understand how we help mitigate the challenges created by the PSD2 we plan to publish a series of blog posts examining articles that are relevant to the technical aspects of the PSD2, article by article.
- In the first post we’ll start with the fundamentals and introduce knowledge, possession and inherence, as defined in article 4, and further discussed in article 6 to 8.
- In the next post we’ll look at how payments should be linked to the user, as defined in article 5
- In the third post the topic will be how having a secure execution environment is mandated by article 9
- In the fourth post we’ll look at the importance of traceability (article 29 of RTS), and how this can directly impact the bottom line due to article 72 of PSD2
- In the final post we’ll look at how auditing and documentation has become an even more important aspect of security, and describe the process we have used for our own software
For each article we will try to describe some common types of practical attacks that are relevant for the challenge, then describe how this can impact business, before we describe how we at Okay can help you mitigate the problem.