The impact of the Revised Directive on Payment Services (PSD2) on security

artifact

The Revised Directive on Payment Services (PSD2) has a wide range of objectives, which impacts nearly all financial institutions and many merchants. Fundamentally, as long as you are located in Europe, or do transactions with customers located in Europe, the PSD2 will have some kind of impact.


Directive Goals

The directive itself is not particularly interesting from a practical security point of view, but the official interpretation as described in the Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 (RTS) should be read by all security professionals who are connected in any way to the payment industry.

The Directive European Parliament and of the Council is shrouded in bureaucratic language, but the goals as stated in the FAQ are: to contribute to a more integrated and efficient European payments market; (ii) to further level the playing field for payment service providers by including new players; (iii) to make payments safer and more secure; and (iv) to enhance protection for European consumers and businesses. The impact for non-European companies comes from the one-leg principle, which makes the directive binding also for non-European companies.


PSD2 and Okay

We at Okay make software which helps you deal with the technical challenges inherent in the requirements that spring from the PSD2 and the accompanying RTS. To help you understand how we help mitigate the challenges created by the PSD2 we plan to publish a series of blog posts examining articles that are relevant to the technical aspects of the PSD2, article by article.

For each article we will try to describe some common types of practical attacks that are relevant for the challenge, then describe how this can impact business, before we describe how we at Okay can help you mitigate the problem.