KuppingerCole Report
Leadership Brief
By John Tolbert

Securing PSD2 APIs

The Revised Payment Service Directive (PSD2) mandates that banks provide APIs for Account Information Service Providers (AISPs) and Payment Initiation Service Providers (PISPs) to use.

1 Recommendations

Banks must prepare for PSD2 by creating APIs for AISPs and PISPs to use. Banks utilize a gamut of IT infrastructure components to provide services today, some of which may not be easily accessible via APIs. Banks should begin a PSD2 readiness program that includes the following steps:

  1. Understand the requisite API calls that will be used by AISPs and PISPs
  2. Identify account holding and transaction servicing systems
  3. Design secure web-tier and intermediate-tier systems for providing PSD2 API support between external AISPs and PISPs and internal infrastructure
  4. Utilize consumer identity and access management solutions for KYC, AML, and strong/risk adaptive authentication for customers.

Financial institutions should ensure that the following security elements are included in the externally facing PSD2 API architecture:

  • Edge Network Security with:
    • DDOS protection
    • Web application firewall
    • Threat detection and prevention
  • Highly available, load-balanced web-tier
  • API gateway for authentication & authorization of AISPs/PISPs; and request validation
  • CIAM system for consumer identity management, with
  • Adaptive Authentication options including
    • email/phone/SMS OTP
    • Mobile push apps
    • Mobile biometrics
    • User Behavioral Analytics (UBA)
    • USB & software tokens
    • eIDs

2 Analysis

PSD2 defines the business entities Payment Initiation Service Providers (PISP), which will have the ability to start payment processes directly betwee ...

Each security component recommended above is critical for protecting bank infrastructure and customer assets. Banks will increasingly become targets ...

Login Get full Access

3 Summary

The relevant Regulatory Technical Standards for PSD2 were published in 2017. PSD2 ostensibly took effect in January 2018. Banks must provide APIs for ...

Login Get full Access


©2021 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks™ or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.