Leadership Brief

Securing PSD2 APIs

The Revised Payment Service Directive (PSD2) mandates that banks provide APIs for Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) to use.

John Tolbert


1 Recommendations

Banks must prepare for PSD2 by creating APIs for AISPs and PISPs to use. Banks utilize a gamut of IT infrastructure components to provide services today, some of which may not be easily accessible via APIs. Banks should begin a PSD2 readiness program that includes the following steps:

  1. Understand the requisite API calls that will be used by AISPs and PISPs
  2. Identify account holding and transaction servicing systems
  3. Design secure web-tier and intermediate-tier systems for providing PSD2 API support between external AISPs and PISPs and internal infrastructure
  4. Utilize consumer identity and access management solutions for KYC, AML, and strong/risk adaptive authentication for customers.

Financial institutions should ensure that the following security elements are included in the externally facing PSD2 API architecture:

  • Edge Network Security with:
    • DDOS protection
    • Web application firewall
    • Threat detection and prevention
  • Highly available, load-balanced web-tier
  • API gateway for authentication & authorization of AISPs/PISPs; and request validation
  • CIAM system for consumer identity management, with
  • Adaptive Authentication options including
    • email/phone/SMS OTP
    • Mobile push apps
    • Mobile biometrics
    • User Behavioral Analytics (UBA)
    • USB & software tokens
    • eIDs

Full article is available for registered users with free trial access or paid subscription.

Register and read on!

Sign up for the Professional or Specialist Subscription Packages to access the entire body of the KuppingerCole research library consisting of 700+ articles.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package