Commissioned by Ergon

1 Executive Summary

In the European Union, the Revised Payment Services Directive (PSD2) will radically alter the financial services landscape. It has already begun to c ...

2 Highlights

• EU PSD2 takes effect in January 2018
• The Regulatory Technical Specifications governing the implementation of Strong Customer Authentication (SCA) ...

3 PSD2: The background and Regulatory Technical Specifications

PSD2 will revolutionize payments and financial services across the EU. PSD2 aims to foster competition in the financial sector, increase transactional ...

3.1 Background and goals of PSD2

The original PSD helped establish the Single Euro Payments Area (SEPA), facilitated cross-border payments, cut fees and increased choices for consumer ...

3.2 Strong Customer Authentication

Clients of financial services must use strong authentication methods to access financial resources. As written, PSD2 defines strong authentication in ...

3.3 Secure Communications

Banks and other account holding institutions must expose APIs for AISPs and PISPs to utilize. AISPs will need to create accounts and read account inf ...

3.4 Market changes and risks

Banks will still hold money and make loans, but new companies are emerging to handle account aggregation and payment management. While banks will sti ...

4 PSD2 RTS architecture

Complying with PSD2’s regulatory technical specifications almost certainly means building new capabilities, functions, and features. Correspondingly ...

4.1 CIAM

In order to offer SCA, a proper Identity and Access Management (IAM) solution is needed. Traditional IAM systems are designed to provision, authentica ...

4.2 SCA

Many CIAM and IAM solutions on the market today support the concept of SCA. Companies that have to comply with PSD2’s SCA provisions must decide whe ...

4.3 Secure Communication

Banks have to provide secure APIs for TPPs and other banks to use. Banks have the most work to do. Almost invariably, banks will have to implement API ...

Figure 1 shows some samples of the kinds of API calls that AISPs and PISPs will make to banks. The API calls are grouped by HTTP POSTs and GETs. Trans ...

Considering the above diagram, customer and TPP systems are in the left-most, and core financial applications and bank enterprise services are on the ...

5 The Ergon Airlock Approach to PSD2 compliant architctures

Ergon Airlock Suite provides CIAM, SCA, and API security functionality that directly addresses the technical requirements of PSD2.

Ergon Informatik ...

5.1 Airlock IAM for CIAM

Airlock IAM provides user and token management, user self-services such as registration and profile management, and identity federation. Self-registra ...

5.2 Airlock WAF for API Security

Airlock WAF can be positioned at perimeters or internal network boundaries to inspect application traffic and protect internal resources. Airlock WAF ...

Airlock WAF has its own log analysis, alerting, and auditing capabilities. But it can also send log and event data to SIEMs using CEF and syslog.

E ...

5.3 Airlock Login

Airlock Login is a lighter weight version of Airlock IAM. It can be deployed with Airlock WAF, but does not have to be. It offers password, OTP, MTA ...

6 Recommendations

PSD2 is fast approaching, and the RTS will require major technology insertions for many banks and TPPs. IAM/CIAM infrastructure may need to be upgrade ...

6.1 Recommendations for conducting a PDS2 Readiness Assessment

• Read and understand the text of PSD2 and the latest RTS. Know which sections apply based on your type of business: banks will have the most work to ...

6.2 Recommendations for meeting PSD2’s SCA and API Security Requirements

• If desired strong authentications options are not available in your current IAM solution, procure and deploy a modern CIAM solution that offers SCA ...

7 Related Research

Executive View: Ergon Airlock Suite - 72509
Executive View: Ergon Airlock/Medusa - 71047
Leadership Compass: Access Management and Federation - 71102