New regulations stand as an opportunity to make security a differentiator in banking
While the banking sector typically takes advantage of modern security measures to protect customer data, there’s never been a more important time for financial institutions to firm up their IT defenses – as well as their reputations. The new EU regulation that took effect this year, the Revised Payment Service Directive (dubbed PSD2), places two notable requirements on financial institutions. First, a new level of openness through API’s to customers’ banking information, and secondly, a robust customer authentication for transactions.
Naturally, this new level of openness requires institutions grant non-bank parties an unprecedented amount of access to their networks and proprietary user data. This regulation represents a fundamental shift in the role of banks’ informational systems and the data within them, given the total control banks have previously had over their customer information.
Third-party providers, or TPP’s, will now build banking-adjacent services for consumers that build on existing banking infrastructure. In the past, customers had to access their bank’s portal for access to their financial information. But now, both Payment Initiation Service Providers (PISP) and Account Information Service Providers (AISP) will have access to a consumer’s banking information through newly required API’s. Tactics such as screen-scraping used to aggregate accounts are no longer required, but new levels of access will also have to be granted to new parties.
By opening up these banking networks, it is of critical importance that impenetrable, cutting-edge security infrastructure is in place. While in the past an HSM system could adequately secure a banking network, a more comprehensive level of security is required to protect proprietary customer data in this new world of open banking. And as consumers seek access to their data from new applications and configurations, attention to endpoint security deserves more attention than ever before.
But PSD2 requirements are not limited to open banking. New authentication requirements at specific user journey points are required by the new regulation. When a transaction is initiated or an account is accessed by a customer, new authentication that fits certain criteria must be used. Two-factor authentication, an independent match of something a user has and something they know or are, is the first requirement. An authentication code tied to the individual transaction must also be issued, and credential confidentiality and integrity must be ensured throughout – particularly relevant if a mobile phone is involved.
Additionally, authentications can only be valid for five minutes and must be blocked if failed over five times. Close attention must be paid to access both because of new audit requirements and in order to demonstrate low risk.
Naturally, PSD2 presents significant areas of change for financial institutions. But effective tools are available to protect application code and personal data to continue compliance with GDPR. And strong authentication requirements can be met with solutions to protect customers and their resources. There’s never been a better time for administrators to ensure their security protocols can defend against the latest threats they’ll be soon facing as more and more data flows in and out of banking networks to vulnerable parties without banking-class security.
It’s one of the latest examples of a call for more openness actually creating a path toward using security as a differentiator – both for protection as well as the user experience overall.
Simon Blake-Wilson is Chief Operating Officer at Inside Secure (www.insidesecure.com), a global provider of security solutions for mobile and connected devices, providing software, silicon IP, services and the know-how needed to protect transactions, identities, content, applications and communications.
