What is PSD2?
Payment Services Directive 2 (PSD2) is a fundamental piece of payments-related legislation that came into force in Europe on 13 January 2018. It is the update of the original Payment Services Directive that had the objective of creating a single market for payments within the European Union.
The main scope of PSD2 is to encourage pan-European competition and participation in the payment industry, also from non-banks, and to provide for a level playing field by harmonising consumer protection and the rights and obligations from payment providers and users.
PSD2 has links and similarities in some of its goals and clauses to the GPDR for data protection and privacy, such as notifying regulators of certain security breaches with a time-frame.
Does PSD2 apply to your organisation?
PSD2 applies to existing Payment Service Providers (PSPs), i.e. banks, payment institutions and e-money institutions and new FS/Fintech start-ups, retailers and service providers. These new players are divided into two types:
Account Information Service Providers (AISPs)
AISPs are providers that can connect to bank accounts and retrieve information from them. The Payment Service User will authorise the AISP to access their data through a secure connection and download their transactional information.
By definition this group have access to a large amount of personal data and hence will need to factor in the requirements of GDPR as well as their financial sector obligations.
Payment Initiation Service Providers (PISPs)
PISPS can initiate payment transactions directly from bank accounts. Historically, the payer initiated a payment directly through their bank. With PSD2, PISPs initiate payments through the bank’s payment systems and infrastructure on behalf of the payers; they act as a bridge between the payer and the payee.
PSD2 Implications for Cyber Security
PSD2 required the European Banking Authority (EBA) to develop Guidelines on security
measures for operational and security risks of payment services. More specifically, PSD2 provides that payment service providers shall establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks relating to the payment services they provide.
In fulfilment of this mandate, the EBA has published security and operational risk regulations:
- Security risk management and governance (which applies to all); and
- Handling of security incidents (especially major incidents) with defined timescales for reporting and response.
The regulations contain a range of requirements detailed within nine guidelines; some directly security related and others, such as opening up systems through APIs for third parties, that also impose security challenges.
Download our Controls Infographic to see the areas that the EBA’s security requirements cover.
How to achieve PSD2 compliance
Continuous monitoring, reporting, the ability to handle API or machine-to-machine transaction flows and rapid (automated or system-assisted) incident detection, verification and response are all vital cyber security capabilities for companies bound to the PSD2 regulation.
The Huntsman Enterprise SIEM & Security Analytics solution can support you in developing your organisation’s alignment to PSD2.
Contact the Huntsman Security team
Email us with your questions or to arrange a conversation: