1 Executive Summary
PSD2 RTS go into effect in September 2019
PSD2 defines the new business entities Payment Initiation Service Providers (PISPs), which will have the ability to start payment processes directly between consumers and merchants; and Account Information Service Providers (AISPs) that will have the ability to aggregate account information about consumers and businesses. AISPs and PISPs are known as Third-Party Providers (TPPs). These business functions have typically been performed by banks or related banking services. Banks are known as Account Servicing Payments Service Providers, as ASPSPs, in PSD2. Competition in the financial sector within these newly defined roles will emerge from non-traditional, non-banking types of businesses.
From a technical perspective, PSD2 necessitates improvements in two major functional areas:
- Strong Customer Authentication (SCA), transactional risk analysis, and malware mitigation in transaction processing
- Opening new financial service APIs, and properly securing them
Concerning SCA, in most cases, authorization and access control are predicated upon authentication, i.e. determining if the subject is who/what it purports to be. Regulations often stipulate the level of authentication assurance that is necessary for certain types of actions to be performed on systems and data. PSD2, at a high level, requires “strong authentication”. The directive relies upon the standard definition, which requires two of these three factors: something you know, something you have, and something you are.
With regards to APIs, banks (ASPSPs) are required to open access to their systems for other financial service providers (TPPs) so they may obtain user authorized account information and initiate payments. To enable a new and secure financial ecosystem, APIs are being standardized in an open source manner. Banks have been building infrastructure to support the PSD2-mandated APIs. This API access infrastructure must be designed with defense-in-depth principles, including data, network and API security, as well as a trust framework for regulated external service providers and related identity and access management.