The Revised Directive on Payment Services (PSD2) and it's Impact on Security
First published: 07/11/2019
updated: 22/10/2022
Erik Vasaasen
The Revised Directive on Payment Services (PSD2) has a wide range of objectives, which impacts nearly all financial institutions and a vast array of merchants. As long as you are located in Europe, or do transactions with customers located in Europe, the PSD2 will have some kind of impact.
Directive Goals
The Directive of European Parliament and of the Council is shrouded in bureaucratic language, but made simple, their the goals are:
- to contribute to a more integrated and efficient European payments market
- to further level the playing field for payment service providers by including new players
- to make payments safer and more secure
- and to enhance protection for European consumers and businesses
The impact for non-European companies comes from the one-leg principle, which makes the directive binding also for non-European companies.
The directive itself is not particularly interesting from a practical security point of view, but the official interpretation as described in the Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 (RTS) should be read by all security professionals who are connected to the payment industry.
PSD2 and Okay
We at Okay make software that helps you deal with the technical challenges inherent in the requirements that spring from the PSD2 and the accompanying RTS. To help you understand how we help mitigate the challenges created by the PSD2, we plan to publish a series of blog posts examining articles that are relevant to the technical aspects of the PSD2, article by article.
For each article we will try to describe some common types of practical attacks that are relevant for the challenge, then describe how this can impact business before we describe how we at Okay can help you mitigate the problem.
Update
Want to jump straight top those series of blog posts examining articles that are relevant to the technical aspects of the PSD2?
Here in part one of three, we start by covering the fundamental requirements Payment Service Providers should be aware of if issuing cards or e-money payments and why said requirements are necessary.
Here in part two of three, we cover the the April 30th deadline.
And here in part three of three, we wrap up with how the Okay solution can help you meet SCA PSD2 RTS compliance standards.