Penetration testing as an essential component of PSD2

With the new opportunities presented by digital banking comes a new attack surface for cyber criminals to commit fraud and theft. Financial institutions have long been equipped to deal with the monetary cost of criminal action against their customers, but cyber attacks carry a much higher cost in terms of damage to reputation and brand.

What is the Second Payment Directive (PSD2)?

The Second Payment Directive (PSD2) is a significant evolution of existing regulation for the payment industry and payment service providers. It aims to increase competition in an already competitive industry, bring into scope new types of payment service, enhance customer protection and security, and extend the reach of the Directive.

The updated PSD2 aims to give more flexibility and freedom to users, with customers essentially being able to mix and match individual solutions without having to transfer money from their original accounts to create new ones. For example, businesses collecting payments may be able to check a payer’s account for funds before a payment is initiated, leading to a reduction in failures. Consumers might use an account information service provider to see all their finances at a glance in real time, with information pulled directly from their accounts.

However, this increased flexibility brings major security concerns. The use of application programming interfaces (APIs) that are essential for allowing different apps and systems to communicate also creates new opportunities for cyber criminals.

The importance of security testing for PSD2

APIs are popular with developers because they can be easily integrated into software to complete complex tasks. Within the context of banking, insurance and finance, APIs ensure that various apps can communicate with other banks’ servers, as well as with other apps and services. However, APIs can also provide attackers with the keys they need to access the systems.

In its ‘Draft Guidelines on the security measures for operational and security risks of payment services under PSD2’, the European Banking Authority (EBA) notes the following threats:

  • Inadequate protection of communication channels used for payments.
  • Inadequately secured systems and devices, including but not limited to applications, servers and users’ payment devices.
  • Unsafe behaviour of users or payment service provider staff.
  • Increased complexity of the payments environment.
  • Technological advancements and tools that are available to potential fraudsters or malicious attackers.

How does penetration testing fit into my PSD2 project?

The EBA says that, for the purpose of managing operational and security risks in the provision of payment services, payment service providers should establish and implement security measures to prevent, react to and correct the unauthorised use, disclosure, access, modification, and accidental or malicious damage or loss of their logical and physical assets, including the payment service user’s data, their sensitive payment data and the personalised security credentials delivered by a payment service provider to the payment service user for the use of a payment instrument.

With apps set to dominate financial services, developers must protect them from attackers seeking to break into them to steal cryptographic keys or reverse engineer them.

Speak to an expert

We have a team of account managers and security consultants available to discuss your penetration testing challenges. For more information, please get in contact.