PSD2 Compliance for Mobile Devices: What Banks Need to Know

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

The moving target of regulatory compliance rarely slows down. Now, banks have yet another target to aim for: PSD2. The European Commission’s Revised Payment Services Directive, PSD2, regulates payment services and payment service providers (PSPs) such as banks. In fact, PSD2 applies to many kinds of businesses that provide electronic and non-cash payments, including mobile and online payments, throughout Europe.

What exactly does PSD2 do? PSD2 lays out “rules for payment services such as credit transfers, direct debits and card payments. These rules include information requirements for payment services providers, as well as rights and obligations linked to the use of payment services.” With one of the stated aims of PSD2 being to “facilitate customer mobility“, PSD2 establishes strict rules relating to security, including mobile device security.

The DNA of Mobile Security

Security for mobile devices differs from that of desktop PCs in numerous ways. At a high level, the key difference is that mobile devices require protection on at least three different attack surfaces: the Device, the Network, and the Apps (DNA). PSD2 reflects the need for multi-vector protection by specifying requirements for device and software integrity, secure communication, and data protection.

In addition, PSD2 requires that that PSPs have mechanisms in place that will minimize the potential harm[1] if a security measure fails. Banks and FinTechs are exploring a range of technologies to meet these requirements, including:

  •       Containerization (together with rootkit/jailbreak detection mechanisms)
  •       Hardware security elements
  •       Anti-malware tools
  •       Runtime application self-protection (RASP)
  •       Mobile device analytics / behavior solutions

PSD2 Requires Device and Software Integrity

Device and software integrity[2] for mobile devices has always been a challenge for financial services app developers. Even if developers stick closely to security best practices, such as by writing secure code, using only authorized APIs, carefully vetting libraries, using only least privilege, etc., none of that will suffice if the device on which the app resides is compromised.

The importance of device and software integrity—and the challenge it poses—is underscored when you consider that a mobile device may well be administered exclusively by the end user. That means that the devices are likely to be running an outdated OS, be missing numerous security patches, and to have dated versions of apps—including the bank’s own app.

PSD2 Requires Secure Communications

PSD2 also requires secure communications[3]. This means that banks must ensure that all communications with the device are encrypted. It also means that the bank must have a way to ensure that communication only occurs with authenticated, legitimate sources.

One complicating factor is that mobile users can and do connect to WiFi networks that are unsecured. In some cases, these networks are explicitly designed with malicious intent. For example, the networks may be named so as to trick the user into thinking the network can be trusted. But even if the network is unsecured simply because of lax security on the part of the network provider, that still leaves the door open for man in the middle MITM and other network-based attacks.

PSD2 Requires Data Protection

The ability to use mobile payment methods is a significant convenience. Maximizing that convenience entails the use of the consumer’s financial data in the payment app. That data, along with the user’s personalized security credentials, requires protection. The PSP must provide that protection.

Developers can take a variety of approaches to protecting mobile apps and their data. PSD2 already requires, for example, that apps utilize a separate execution environment from the device[4]. Another approach could be the use of a RASP solution. These methods aim to protect the app and the data the app contains, but are of limited value if the device on which the app resides is compromised.

Zimperium Enables PSD2 Compliance for Mobile Devices

Zimperium’s zIAP enables bank app developers to meet requirements for device and software integrity, secure communication, and data protection, and to meet the requirement for mechanisms to mitigate harm in case of failure.

Zimperium provides a software development kit (SDK) that enables developers to quickly and painlessly embed Zimperium’s machine learning-based detection engine, z9, directly inside any mobile app. With the zIAP SDK embedded, mobile apps can immediately determine if a user’s device is compromised, any network attacks are occurring or if malicious apps are installed. Moreover, developers can specify the remedial action that should apply when a given threat is detected. In short, zIAP is a single solution to meet a host of PSD2 requirements.

If you would like to learn more about the ways Zimperium can help your business meet PSD2 requirements, please contact us here.

 

[1] PSD2. Article 9. Independence of the elements. Section 2 and Section 3 (b), (c). “Payment service providers shall adopt security measures …to mitigate the risk which would result from that multi-purpose device being compromised. Mitigating measures include mechanisms to ensure that the software or device has not been altered by the payer or by a third party and that, where alterations have taken place, mechanisms to mitigate the consequences thereof.”
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC
[2] PSD2. Article 9. Independence of the elements. Section 2 and Section 3 (b), (c). “Payment service providers shall adopt security measures …to mitigate the risk which would result from that multi-purpose device being compromised. Mitigating measures include mechanisms to ensure that the software or device has not been altered by the payer or by a third party and that, where alterations have taken place, mechanisms to mitigate the consequences thereof.”
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC
[3] PSD2. Paragraph 26. “In order to safeguard the confidentiality and the integrity of data, it is necessary to ensure the security of communication sessions between account servicing payment service providers, account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments.”
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC  
[4] PSD2. Article 9. Independence of the elements. Section 3 (a). “Mitigating measures include … the use of separated secure execution environments through the software installed inside the multi-purpose device.”
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC

The post PSD2 Compliance for Mobile Devices: What Banks Need to Know appeared first on Zimperium Mobile Security Blog.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
1978 Followers
About Zimperium
Zimperium, the industry leader in Mobile Threat Defense, offers real-time, on-device protection against both known and previously unknown threats, enabling detection and remediation of attacks on all three mobile threat vectors - Device, Network and Applications. Zimperium’s patented z9™ detection engine uses machine learning to power zIPS™, mobile on-device Intrusion Prevention System app, and zIAP™, an embedded, In-App Protection SDK that delivers self-protecting iOS and Android apps. Leaders across the mobile ecosystem partner with Zimperium, including mobile operators (Airtel, Deutsche Telekom, SmarTone, SoftBank and Telstra), device manufacturers (Samsung, SIRIN, TriGem), and leading enterprise mobility management (EMM) providers (AirWatch, MobileIron, BlackBerry, Citrix and SAP). Headquartered in San Francisco, Zimperium is backed by Sierra Ventures, Samsung, Telstra, Warburg Pincus and SoftBank. Learn more at www.zimperium.com or our official blog at https://blog.zimperium.com.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel