NETACEA / WHITE PAPER
PSD2 AND API SECURITY
PSD2 AND API SECURITY WHITE PAPER
CONTENTS What is PSD2 & how is it disrupting the financial landscape?.........................2 1. If PSD2 is a European Law, will the UK need to comply after brexit?........3 2. PSD2 puts change and opportunity in the hands of PSPs........................4 3. What role do AISPs & APIs play in open banking?.....................................5 4. How secure are APIs?.................................................................................6 5. Secure your APIs to secure your business.................................................7 How Netacea supports PSD2 compliance........................................................8
NETACEA.COM
/ 1
PSD2 AND API SECURITY WHITE PAPER
WHAT IS PSD2 & HOW IS IT DISRUPTING THE FINANCIAL LANDSCAPE? The second Payment Services Directive (PSD2) is a data driven legislation introduced by the European Union (EU) in 2015, with which all payment service providers (PSPs) throughout the EU and beyond must comply. PSD2 expands the scope of 2007’s PSD, a directive implemented to make payments across borders as easy, secure and inexpensive as domestic payments. However, a short eight years later, innovations in technology and the prevalence of fintechs have created new challenges for the payments industry to address. The new directive is already disrupting how consumers manage money as spending data enters the public domain. Traditional and non-traditional financial institutions alike have instant access to everything from a consumer’s monthly commuting costs and favourite coffee shop to their energy and mortgage supplier. However, following kick-back from the Financial Conduct Authority (FCA) it has become clear that many affected organisations are struggling to meet the legislation’s initial, ambitious compliance deadline of 14th September 2019, which has now been extended by 18 months to March 2021. The delay gives banks and retailers alike a short reprieve to meet PSD2’s timeline for the implementation of Strong Customer Authentication (SCA), which requires certain payments use two factor authentication.
SCA is PSD2’s second major requirement alongside the directive’s stipulation for the biggest banks to create open Application Programming Interfaces (APIs). This whitepaper will explore the effects of Brexit on PSD2, the security implications of the revolutionary implementation of open banking and determine actions for financial institutions to ensure their consumer data remains secure in this new environment.
NETACEA.COM
/ 2
PSD2 AND API SECURITY WHITE PAPER
1. PSD2 IS AN EU LAW, WILL THE UK NEED TO COMPLY AFTER BREXIT? There is still a lot of uncertainty surrounding Brexit, but in the meantime while the UK remains an EU member state, PSD2 directly applies to organisations within the UK. To minimise disruptions to UK businesses following Brexit – whenever that may be – the government has adapted and incorporated certain EU legislation, including PSD2, into UK domestic law. PSD2 is therefore likely to remain in UK legislation for the foreseeable future, with the long-term plan to replace PSD2 with the UK Open Banking System.
TELL ME ABOUT THE UK OPEN BANKING SYSTEM In January 2018, the Open Banking system was set up by the Competition and Markets Authority on behalf of the UK government. Every PSP that uses Open Banking to offer products and services must be regulated by the FCA or the EU equivalent. There is currently very little to differentiate Open Banking from PSD2. However, where PSD2 requires banks to open-up their data to third party providers (TPPs), Open Banking states that data is made available in a standardised format.
PSD2 is a much-needed legislation that presents financial institutions with new challenges. It also presents ample opportunity for banks to update legacy systems, collaborate and improve their security platforms. The UK’s own introduction of Open Banking echoes the need for a truly disruptive transformation of the payments industry, with new entrants able to utilise banks’ open APIs.
NETACEA.COM
/ 3
PSD2 AND API SECURITY WHITE PAPER
2. PSD2 PUTS CHANGE AND OPPORTUNITY IN THE HANDS OF PSPS The payments industry has needed updating for a long time, and PSD2 makes change a reality. Open banking, perhaps the directive’s most revolutionary initiative, enables third party access to account information and paves the way for greater innovation and competition in the market through open APIs. PSD2 and the open banking initiative move the payments industry forward in two very large strides:
CREATING A LEVEL PLAYING FIELD
SECURING THE PLAYING FIELD
All PSPs active in the EU will be regulated and
The introduction of open banking is a big red
answerable to relevant rules set out by PSD2.
flag for PSPs to ensure their houses are in order.
This creates a level playing field that makes it
Systems and infrastructure must be up to date and
possible for new entrants to make their mark in
open APIs in place to facilitate third party access
the payments market and a new environment for
requests; the ability to initiate online payments
consumers using payment services.
directly from a customer’s account.
Consumers will be able to use Payment Initiation
APIs put control in the hands of TPPs. They can
Service Providers (PISPs) and Account information
use a bank’s API to deploy their own solutions
Service Providers (AISPs) to manage multiple
for businesses and customers, which can be
accounts, data and make comparisons.
integrated with data held by the bank.
Securing customer data is vital. According to the FCA, reports of cyber incidents at financial services firms increased 1000% in 2018. This figure is expected to rise with the growth in mobile payments.¹
¹Experian - New case of financial fraud reported every 15 seconds in 2018.
NETACEA.COM
/ 4
PSD2 AND API SECURITY WHITE PAPER
3. WHAT ROLE DO AISPS & APIS PLAY IN OPEN BANKING? Businesses can use a bank’s API to enter the financial market without the historically present burden of stringent compliance and infrastructure. The new entrants can focus on providing one service while connecting to other service providers via APIs. This creates a new marketplace of specialists and a need for aggregators such as AISPs and PISPs. To make sure everything runs smoothly and with customer security in mind, banks must integrate with PISPs and AISPs to meet SCA requirements and facilitate open banking with TPPs. AISPs play a vital role in the PSD2 environment, giving consumers’ visibility of multiple bank accounts via a single app that is connected to each bank’s open API.
CAN ANYONE ACCESS A BANK’S API? Not quite. Security is crucial here and API access is restricted to regulated TPPs who can securely access the bank’s data. All TPPs are subject to extensive verification of their security, operational governance and risk management controls before they can receive PSD2 authorisation.
NETACEA.COM
/ 5
PSD2 AND API SECURITY WHITE PAPER
4. HOW SECURE ARE APIS? In the open banking infrastructure, APIs sit between the PSP and the TPP to make sure data can be shared between the two. To ensure banks implement secure API infrastructure by design, account scraping is a banned practice under PSD2. Account scraping is often used by fintechs to gather user data as well as by bots with malicious intent. It’s therefore vital to work with your eyes wide open here. APIs are becoming an increasingly attractive target for cyber-attacks alongside websites and applications. Establishing a resilient API environment is absolutely crucial to maintaining a truly secure and high-functioning ecosystem in which both interconnected parties are protected. If an API is exposed, bots can be used to takeover accounts, scrape data and prevent the API servicing users. API’s have three points of vulnerability – browser, mobile app and the API server – and each must be secured with appropriate mitigation methods.
NETACEA.COM
/ 6
PSD2 AND API SECURITY WHITE PAPER
5. SECURE YOUR APIS TO SECURE YOUR BUSINESS
APIs cannot detect, prevent or respond to automated attacks,
Attackers will attempt to gain entry to the API layer via its three
and they are relatively simple to breach. By reverse engineering
vulnerable access points: the browser, mobile applications
apps that connect API endpoints, the perpetrator gains access
and API server. It is vital that your API layer is protected by
to the API and the capacity to carry out a myriad of bot attacks.
best-of-breed technology that is designed to complement existing controls such as WAFs and CDNs, while providing
Attackers will always look for the easiest point of entry and
comprehensive coverage of the APIs access points without
your bot management solution must be equipped to cover all
complex mobile SDKs.
attack vectors. APIs used to share data between banks and TPPs or mobile applications are particularly at risk of exposure
Equally, your bot management technology must adapt as
to new threats and require a more robust security solution.
user-behaviour and bot techniques evolve. To achieve this, the
JavaScript based solutions for instance, would only typically
technology must look specifically at what the bots are doing to
cover websites accessed through browsers but not API traffic
determine intent and motive.
from mobile applications or other services. WAF and CDN based solutions provided by bolt-on bot suppliers, derive from traditional approaches such as blacklisting and IP blocking and fail to provide the analysis of the bot’s behaviour and intent. This can lead to loss of confidence if legitimate users are stopped or delayed from reaching the point of conversion on your site.
NETACEA.COM
/ 7
PSD2 AND API SECURITY WHITE PAPER
HOW NETACEA SUPPORTS PSD2 COMPLIANCE To comply with PSD2, your financial services organisation must implement APIs to facilitate open banking, and you must also recognise the associated security risks. At Netacea, we take a revolutionary approach to bot management, applying a single solution with innovative coverage across all API points of vulnerability – browser, mobile app and API server – without the need for multiple products or complex mobile SDKs. We monitor all site visits to a specified path and analyse them in context relative to each of the visitors to the enterprise estate. The technology then automatically learns from the business’s web estate according to the threats identified and your specified business priorities. This in-depth insight is then fed back to your business so that you can make informed decisions about your traffic.
We look at the behaviour of all website visitors, and in our multi-dimensional data, we look for identifying clusters of behaviour, including fingerprint markers. The machine learning intelligence dynamically assesses what constitutes “normal” behaviour over time, by path or location. By its very nature, this machine learning approach becomes more efficient over time while traditional approaches become less effective as the bots evolve and work around the scripts. Talk to our team today at hello@netacea.com or https://www.netacea.com/contact, to find out how we can protect your API layer and secure your customer data where it matters most.
Netacea provides a revolutionary bot management solution that protects websites, mobile apps and APIs from malicious bots such as scraping, credential stuffing and account takeover. Visit Netacea.com to find out more.
NETACEA.COM
/ 8
