Commissioned by RSA
1 Executive Summary
In the European Union, the Revised Payment Services Directive (PSD2) will radically alter the financial services landscape. It has already begun to create a more competitive environment, with new business entities arising to offer additional financial services, such as acquiring account information and presenting it to consumers, and initiating payments directly from accounts at traditional financial institutions to merchants and other electronic service providers.
From a technical perspective, PSD2 necessitates improvements in two major functional areas:
- Strong Customer Authentication (SCA), transactional risk analysis, and malware mitigation in transaction processing
- Opening new financial service APIs, and properly securing them
Concerning SCA, in most cases, authorization and access control are predicated upon authentication, i.e. determining if the subject is who/what it purports to be. Regulations often stipulate the level of authentication assurance that is necessary for certain types of actions to be performed on systems and data. PSD2, at a high level, requires “strong authentication”. The directive relies upon the standard definition, which requires two of these three factors: something you know, something you have, and something you are.
The problems with username/password authentication are well-known. Both usernames and passwords are easily and often forgotten. Password resets are expensive, in terms of both help desk costs and lost productivity. Passwords are easily guessed by hackers. Password databases can be broken via brute force attacks. There is no such thing as a strong password. Telling users to choose complex passwords and use different passwords for every site is futile. Most cyber-attacks and data breaches that have made the news in recent years have involved the perpetrator(s) gaining access to systems and data by compromising usernames and passwords.
Higher assurance authentication is fundamental to reducing risk of fraud and data loss. Stronger authentication techniques also enable greater compliance with regulations such as PSD2, as we will see below.
Fortunately, better alternatives to passwords exist. Many enterprises have deployed SmartCards, USB tokens, or RSA SecurID® for the highest levels of assurance. Biometric solutions, using something about oneself as an authenticator, such as fingerprints or iris scans, are gaining traction due to their popularity among users. Out-of-band and step-up authentication and authorization options via mobile devices are becoming more common and accepted by users.
PSD2 will spur the adoption of these new authenticators in the quest to achieve SCA. Authenticators with a higher degree of usability, such as mobile push and mobile biometrics apps, are likely to be preferred and become dominant. Authenticator form factors such as Smart Cards and USB tokens will probably not be deployed by banks or FinTechs due to the fact they are less user friendly.
With regards to APIs, banks will have to present APIs to financial service providers to get user account information and initiate payments. Though banks began moving to online services years ago and many now offer mobile apps, studies show that, as of late 2017, most banks in the EU are not prepared to allow programmatic access from a potentially large number of external financial service providers. Standard APIs are being refined in an open source manner. Most banks will need to build an adjunct infrastructure to support the PSD2-mandated APIs. This new infrastructure must be designed with defense-in-depth principles, including network and API security, plus a trust framework for external service providers and related identity management.
PSD2 will radically change the financial sector in the EU
Conversely, new financial service providers that need to interact with banks must prepare for PSD2 implementation. They will use the APIs to get account information and initiate payments with banks. They will need to establish trusts with the banks with which they will do business. Many of these Third-Party Providers (TPPs) may offer SCA as a service also, for their own customers, as a service to other FinTechs, or perhaps even to banks.
This paper will dive deeper into the technical requirements that banks and financial service providers face in preparing for PSD2. We will also discuss the ramifications for banks and other financial services organizations. Lastly, we will consider how RSA SecurID, RSA Adaptive Authentication, RSA Web Threat Detection, and RSA Archer can assist banks and TPPs in preparing for PSD2.