Meet your PSD2 compliance obligations
Payment Services Directive 2 (PSD2) is a fundamental piece of payments-related legislation that came into force in Europe in January 2018. It is the update of the original Payment Services Directive that had the objective of creating a single market for payments within the European Union.
The main scope of PSD2 is to encourage pan-European competition and participation in the payment industry, also from non-banks, and to provide for a level playing field by harmonising consumer protection and the rights and obligations from payment providers and users.
PSD2 has links and similarities in some of its goals and clauses to the GPDR for data protection and privacy, such as notifying regulators of certain security breaches with a time-frame.
Organisations that PSD2 applies to
PSD2 applies to existing Payment Service Providers (PSPs), i.e. banks, payment institutions and e-money institutions and new FS/Fintech start-ups, retailers and service providers. These new players are divided into two types:
Account Information Service Providers (AISPs)
AISPs are providers that can connect to bank accounts and retrieve information from them. The Payment Service User will authorise the AISP to access their data through a secure connection and download their transactional information.
By definition this group have access to a large amount of personal data and hence will need to factor in the requirements of GDPR as well as their financial sector obligations.
Payment Initiation Service Providers (PISPs)
PISPS can initiate payment transactions directly from bank accounts. Historically, the payer initiated a payment directly through their bank. With PSD2, PISPs initiate payments through the bank’s payment systems and infrastructure on behalf of the payers; they act as a bridge between the payer and the payee.
PSD2 implications for cyber security
PSD2 required the European Banking Authority (EBA) to develop Guidelines on security measures for operational and security risks of payment services. More specifically, PSD2 provides that payment service providers shall establish a framework with appropriate mitigation measures and control mechanisms to manage operational and security risks relating to the payment services they provide.
In fulfilment of this mandate, the EBA has published security and operational risk regulations:
- Security risk management and governance (which applies to all); and
- Handling of security incidents (especially major incidents) with defined timescales for reporting and response.
The regulations contain a range of requirements detailed within the guidelines; some directly security related and others, such as opening up systems through APIs for third parties, that also impose security challenges. Download the infographic to see the areas that the EBA’s security requirements cover.
The latest regulatory requirements, that relate to strong customer authentication and third party access became effective in September 2019. You can find details in the UK Financial Conduct Authority’s PDF here.
Achieve PSD2 compliance with Huntsman Security’s PSD2 solution
Measurement of security control efficacy, continuous monitoring, reporting, the ability to handle API or machine-to-machine transaction flows and rapid (automated or system-assisted) incident detection, verification and response are all vital cyber security capabilities for companies bound to the PSD2 regulation.
Huntsman Security’s PSD2 solution can support you in developing your organisation’s alignment to PSD2.