Leadership Brief

Securing PSD2 APIs

The Revised Payment Service Directive (PSD2) mandates that banks provide APIs for Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) to use.

John Tolbert


1 Recommendations

Banks must prepare for PSD2 by creating APIs for AISPs and PISPs to use. Banks utilize a gamut of IT infrastructure components to provide services today, some of which may not be easily accessible via APIs. Banks should begin a PSD2 readiness program that includes the following steps:

  1. Understand the requisite API calls that will be used by AISPs and PISPs
  2. Identify account holding and transaction servicing systems
  3. Design secure web-tier and intermediate-tier systems for providing PSD2 API support between external AISPs and PISPs and internal infrastructure
  4. Utilize consumer identity and access management solutions for KYC, AML, and strong/risk adaptive authentication for customers.

Financial institutions should ensure that the following security elements are included in the externally facing PSD2 API architecture:

  • Edge Network Security with:
    • DDOS protection
    • Web application firewall
    • Threat detection and prevention
  • Highly available, load-balanced web-tier
  • API gateway for authentication & authorization of AISPs/PISPs; and request validation
  • CIAM system for consumer identity management, with
  • Adaptive Authentication options including
    • email/phone/SMS OTP
    • Mobile push apps
    • Mobile biometrics
    • User Behavioral Analytics (UBA)
    • USB & software tokens
    • eIDs
Continue reading...
Read the full report and get access to KuppingerCole Research for 4 weeks.
Start Your Free Trial
Already a subscriber? Click here to login.