With the introduction of PSD2, a new era of secure payments has begun in the European Union. The new regulation is aimed at enhanced customer protection against fraud, with stringent liability and accountability requirements and strong customer authentication features.
PSD2 requires European banks and other payment service providers to allow customers’ accounts to be accessed via
application programming interfaces (APIs). Their customers are able to initiate payments from their accounts directly from third-party apps and websites, and to share transaction and balance information with third parties.
The directive provides measures to protect the confidentiality and integrity of personalized security credentials. Banks will now be authorized to block third-party access to accounts if they detect unauthorized or fraudulent activity. At the same time, providers who fail to authenticate a transaction appropriately will now be held liable for any resulting breaches.
So, what does all this mean for the incumbent players in the European financial services landscape?
Accenture has identified key challenges that banks will need to deal with in the short term:
- After PSD2, many customers may start relying on Third-Party Payment service providers (TPPs) for banking transactions, making it more difficult for banks to detect fraud.
- By providing their APIs to TPPs, banks open up a significantly greater attack surface to potential cyber adversaries, and can no longer hide critical applications behind perimeter firewalls.
With the new directive also come opportunities:
- PSD2 encourages banks to embed security up front in the new systems and APIs, thus turning security into a business asset.
- Creating systems with open APIs gives banks the opportunity to strengthen their fraud prevention capabilities—by blocking attacks high up the stack and protecting the intelligence located on lower layers.
Accenture recommends five actions for banks to deal effectively with the challenges and opportunities of PSD2:
- Make API security an integral part of PSD2 implementations, and ensure that security controls for APIs are at par with digital banking.
- Adopt a user-driven authentication framework that doesn’t disclose user credentials to TPPs.
- Use biometric technologies for authentication, as that will not only address the PSD2 requirement for more accurate validation, but will also provide a better consumer experience.
- Assess customers’ location and behaviour against their usual patterns to gain a clearer view of the risks and the level of authentication required.
- Follow these principles while designing APIs:
- Show respect for user privacy and design in consent management controls.
- Embed privacy into design and use maximum privacy as the default setting.
- Maintain transparency of operations of the IT systems.
- Deny access to information that isn’t absolutely necessary, or that the user has not agreed to share.
- Strive to detect and prevent privacy-invasive events before they happen.
Read more about this in our latest report, PSD2 & Open Banking | Security and fraud impacts on banks: Are you ready?