The EU Payment Service Directive (PSD2) aims to enhance consumer security, increase competition and create a single EU-wide market for payments. No doubt this market disruptive initiative opens the door for innovation. But will PSD2 inadvertently introduce more vulnerability for the cybercriminals to exploit?
Achieving its aims all hinges on the banks sharing their customer data with anyone that holds the required license. This third party access to accounts (XS2A) ensures that banks cannot block the move to a new payment services market. It encourages new entrants to the market: Payment Initiation Services (PIS) and Account Information Services (AIS). PIS would allow consumers to make payments from their bank account directly to the merchant. AIS could offer a consumer a single portal consolidating all their financial information: banking, insurance and shares. Such third party providers (TPPs) will need to be authorized ensuring adherence to the new security requirements.
Impact of open access
For banks the impact of PSD2 is about more than losing direct control of its customers. It has to give access to TPPs over its own infrastructure. To grant this access banks have yet more operational costs to absorb to overhaul its platforms and processes. And the security impact is not fully known. Understandably the banks are not welcoming PSD2 with open arms. Unlike cybercriminals who may well be.
Experience has shown that the first thing a cybercriminal exploits is the point of interface; between software and hardware, for instance. It is the most vulnerable. XS2A increases not only the points of interface but also adds complexity. All TPPs have a way into the bank’s infrastructure: typically through an API interface. And now other parties are involved in the authorization process. Is the TPP making this request on your behalf or is it malware; is it really you? Identity verification and device based authentication becomes paramount.
Without it, there’s an increased likelihood of cyber-attacks and subsequent cyber-litigation. And under new EU data privacy laws, hacked companies can now be fined up to 4% of global turnover for breaking data protection regulations. Quite an impact!
Finding the balance
At the heart of what appears to be conflicting objectives of innovation, user access, data protection and new entrants is security. Yes, PSD2 has a strong customer authentication requirement but what about browser security? After all, the directive was revised to take into account the growing importance of internet and mobile payments.
There is a way to create a trusted environment. Irdeto’s security software is simple to deploy and easy to embed into different applications without affecting the consumer experience. It provides a secure area to execute code, sends alerts if there’s tampering from the extension or software on the consumer’s device and provides an extra layer of encryption between the parties.
To prevent cybercriminals walking through the open door, browser security has to be an essential part of the new payments era.