GDPR vs. PSD2: Why the European Commission Must Eliminate Screen Scraping

The General Data Protection Regulation (GDPR) and Revised Payment Service Directive (PSD2) are two of the most important and most talked about technical legislative actions to arise in recent years.  Both emanate from the European Commission, and both are aimed at consumer protection.

GDPR will bolster personal privacy for EU residents in a number of ways.  The GDPR definition of personally identifiable information (PII) includes attributes that were not previously construed as PII, such as account names and email addresses.  GDPR will require that data processors obtain clear, unambiguous consent from each user for each use of user data. In the case of PSD2, this means banks and Third-Party Providers (TPPs).  TPPs comprise Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs).  For more information, please see https://www.kuppingercole.com/report/lb72612

Screen scraping has been in practice for many years, though it is widely known that this method is inherently insecure.  In this context, screen scraping is used by TPPs to get access to customer data.  Some FinTechs harvest usernames, email addresses, passwords, and account numbers to act on behalf of the users when interacting with banks and other FinTechs.  This technique exposes users to additional risks, in that, their credentials are more likely to be misused and/or stored in more locations. 

PSD2 will mandate the implementation of APIs by banks, for a more regular and safer way for TPPs to get account information and initiate payments.  This is a significant step forward in scalability and security.  However, the PSD2 Regulatory Technical Standards (RTS) published earlier this year left a screen scraping loophole for financial organizations who have not yet modernized their computing infrastructure to allow more secure access via APIs.  The European Banking Authority (EBA) now rejects the presence of this insecure loophole:  https://www.finextra.com/newsarticle/30772/eba-rejects-commission-amendments-on-screen-scraping-under-psd2.   

KuppingerCole believes that the persistence of the screen scraping exception is bad for security, and therefore ultimately bad for business.  The proliferation of TPPs expected after PSD2 along with the attention drawn to this glaring weakness almost ensures that it will be exploited, and perhaps frequently. 

Furthermore, screen scraping implies that customer PII is being collected and used by TPPs.  This insecure practice, then, by definition goes against the spirit of consumer protection embodied in GDPR and PSD2.  Furthermore, GDPR calls for the principle of Security by Design, and a screen scraping exemption would contravene that.  TPPs can obtain consent for the use of consumer PII, or have it covered contractually, but such a workaround is unnecessary if TPPs utilize PSD2 open banking APIs.  An exemption in a directive should not lead to potential violations of a regulation.  


Discover KuppingerCole

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Blog

Spotlight

Modern Cybersecurity Trends & Technologies Learn more

Modern Cybersecurity Trends & Technologies

Companies continue spending millions of dollars on their cybersecurity. With an increasing complexity and variety of cyber-attacks, it is important for CISOs to set correct defense priorities and be aware of state-of-the-art cybersecurity mechanisms. [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00