PSD2 Regulation: How To Achieve Client-Side Compliance [White Paper]

"Open Banking" has constantly been making the headlines over the past few months. While this concept may be more relevant than ever, it's still shrouded in doubt.

This new system aims to open the financial sector to new services and providers. Namely, companies that provide account information services and payment initiation services will have facilitated access to payment accounts' data, with the consumer's consent. This will be possible through Application Programming Interfaces (APIs).

As much as the benefits of open banking were known and repeated, the single expression "facilitates access to customers' financial data" raises some flags. If access to customer data is currently a sensitive subject, it becomes tenfold when we add "financial" to the equation.

We believe the opportunities to the UK economy – and to the individuals and businesses within that economy – from the successful creation of an Open Banking Standard that will lead the world are enormous. — Open Banking Working Group

With the rising importance of ensuring proper data handling, PSD2 entered the picture.

The Directive (EU) 2015/2366 — better known as Payment Services Directive 2 (PSD2) — is the successor to PSD, a 2007 EU Directive administered to regulate payment services within the European Union.

PSD was able to address some major concerns in terms of regulating payments, but it didn't apply to transactions to/from countries outside of the EU, neither did it contemplate the emergent role of third-party payment service providers (TPP).

PSD2 can then be seen as an improvement to the previous directive, namely by reducing liability for unauthorized payments, granting unconditional refundright for direct debits, and removing surcharges for the use of a consumer credit or debit card.

Although PSD2 has been passed during late 2015, it only entered into application January 2018. Financial institutions were urged to adopt proper measures to ensure the required strict security requirements. Still, there's much resistance towards the adoption of PSD2.

Our PSD2 white paper serves as a quick comprehensive guide of client-side PSD2 mandates and how financial institutions can address them to achieve compliance.

It's key takeaways are:

• Which opportunities and challenges for financial institutions and TPPs are brought forward by PSD2;

• Why there's an increasing concern over client-side attacks;

• Which PSD2 mandates require direct client-side security measures;

• How these PSD2 mandates can be effectively addressed to ensure compliance.

For long, information security has focused solely on the server-side. Because user data was only stored on backend servers, institutions invested mostly in firewalls and other network security measures.

The web has since changed. A great number of tools and technologies rely on the client-side. This opens a window to attacks that aren't stopped by server-side security measures, and for which institutions aren't prepared.

We've been seeing an alarming growth on client-side attacks with disastrous results. Man-in-the-Browser (MiTB) attacks are one of the biggest threats. They can, for example, change the IBAN and amount of an online banking transaction without the user being aware.

The most common objective of this attack is to cause financial fraud by manipulating transactions of Internet Banking systems, even when other authentication factors are in use. — OWASP

Because this is happening on bank websites, the expectation is that these attacks will start targeting TPP websites as well.

With the rising prevalence of client-side attacks in mind, PSD2 stipulates a set of mandates which specifically concern client-side protection. These include:

• Having transaction monitoring mechanisms that detect fraudulent transactions;

• Being able to detect and react to signs of malware infection;

• Protecting communication sessions against the capture of authentication data.

Several other mandates require direct client-side security measures, which we outline in our PSD2 white paper.

The PSD2 is an assertive step towards ensuring a properly regulated Open Banking system. By empowering new market entrants and putting consumers' safety first, the EU sets some ambitious goals.

Financial institutions are known for taking longer to adopt new technologies. With PSD2 and RTS coming into fruition, security solutions such as Jscrambler come forward as a direct path to achieve client-side compliance.