The Revised Payment Service Directive (PSD2) mandates that banks provide APIs for Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) to use.
1 Recommendations
Banks must prepare for PSD2 by creating APIs for AISPs and PISPs to use. Banks utilize a gamut of IT infrastructure components to provide services today, some of which may not be easily accessible via APIs. Banks should begin a PSD2 readiness program that includes the following steps:
- Understand the requisite API calls that will be used by AISPs and PISPs
- Identify account holding and transaction servicing systems
- Design secure web-tier and intermediate-tier systems for providing PSD2 API support between external AISPs and PISPs and internal infrastructure
- Utilize consumer identity and access management solutions for KYC, AML, and strong/risk adaptive authentication for customers.
Financial institutions should ensure that the following security elements are included in the externally facing PSD2 API architecture:
- Edge Network Security with:
- DDOS protection
- Web application firewall
- Threat detection and prevention
- Highly available, load-balanced web-tier
- API gateway for authentication & authorization of AISPs/PISPs; and request validation
- CIAM system for consumer identity management, with
- Adaptive Authentication options including
- email/phone/SMS OTP
- Mobile push apps
- Mobile biometrics
- User Behavioral Analytics (UBA)
- USB & software tokens
- eIDs
