The Anti-Malware Requirement in PSD2
The Revised Payment Service Directive (PSD2) mandates that service providers evaluate transaction requests for signs of malware infection. In order for transactions to be considered low-risk, there must be no signs of malware infection in any sessions of authentication events.
All parties to financial transactions under PSD2, including Account Servicing Payment Service Providers (ASPSPs) and Third-Party Providers (TPPs) will be required to detect and mitigate signs of malware infection in transactions. Malware, particularly of the credential stealing variety, is a significant problem in the realm of financial transactions. The malware detection clause in PSD2 aims to reduce financial transaction risk.
ASPSPs and TPPs will need to deploy anti-malware tools at various points within their architectures to meet this requirement:
- Core banking and transaction processing systems
- Web-based online banking infrastructure
- PSD2 compliant API gateways, based on [Open Banking Project](https://openbanking.atlassian.net/wiki/spaces/DZ/pages/5785171/Account+and+Transaction+API+Specification+-+v1.1.0