Commissioned by RSA

1 Executive Summary

In the European Union, the Revised Payment Services Directive (PSD2) will radically alter the financial services landscape. It has already begun to c ...

2 Highlights

• EU PSD2 took effect in January 2018
• The Regulatory Technical Specifications (RTS) govern the implementation of Strong Customer Authentication (SCA ...

3 PSD2: The background and Regulatory Technical Specifications

PSD2 will revolutionize payments and financial services across the EU. PSD2 aims to foster competition in the financial sector, increase transactional ...

3.1 Background and goals of PSD2

The original PSD helped establish the Single Euro Payments Area (SEPA), facilitated cross-border payments, cut fees and increased choices for consumer ...

3.2 Strong Customer Authentication

Clients of financial services must use strong authentication methods to access financial resources. As written, PSD2 defines strong authentication in ...

3.3 Secure Communications

Banks and other account holding institutions must expose APIs for AISPs and PISPs to utilize. AISPs will need to create accounts and read account inf ...

3.4 Market changes and risks

Banks will still hold money and make loans, but new companies are emerging that will also provide services to handle account aggregation and payment m ...

4 PSD2 RTS architecture

Complying with PSD2’s regulatory technical specifications almost certainly means building new capabilities, functions, and features. Correspondingly ...

4.1 SCA

Many CIAM and IAM solutions on the market today support the concept of SCA. Companies that have to comply with PSD2’s SCA provisions must decide whe ...

4.2 Anti-malware capabilities

In Clause 2 of Article 2, PSD2 RTS states “Payment service providers shall ensure that the transaction monitoring mechanisms take into account, a ...

4.3 Secure APIs

Banks have to provide secure APIs for TPPs and other banks to use. Banks have the most work to do here. Almost invariably, banks will have to implemen ...

Figure 1 shows some samples of the kinds of API calls that AISPs and PISPs will make to banks. The API calls are grouped by HTTP POSTs and GETs. Trans ...

5 RSA solutions that can contribute to PSD2 compliant architectures

RSA SecurID Access, RSA Adaptive Authentication, RSA Web Threat Detection, and RSA Archer provide SCA, transactional risk analysis, malware and threat ...

5.1 RSA SecurID Access

RSA makes many identity and security products and services, but perhaps the most recognizable product is the SecurID token. But that is just one of ma ...

5.2 RSA Adaptive Authentication

RSA Adaptive Authentication is a risk-based authentication and fraud detection platform deployed today at over 3,000 organizations. It utilizes the R ...

5.3 RSA Web Threat Detection

RSA Web Threat Detection is a component of the RSA Fraud and Risk Intelligence Suite. It can be deployed on-premises, in the cloud, or run as a multi- ...

5.4 RSA Archer

RSA Archer is an industry-leading GRC platform. It contains a variety of functionally discrete modules and has been extended by a number of third part ...

6 Recommendations

PSD2 is fast approaching, and the RTS will require major technology insertions for many banks and TPPs. IAM/CIAM infrastructure may need to be upgrade ...

6.1 Recommendations for conducting a PSD2 Readiness Assessment

• Read and understand the text of PSD2 and the latest RTS. Know which sections apply based on your type of business: banks will have the most work to ...

6.2 Recommendations for meeting PSD2’s SCA and API Security Requirements

• If desired strong authentication options are not available in your current IAM solution, procure and deploy a modern IAM / adaptive authentication s ...

7 Related Research

Leadership Compass: Access Management and Federation - 71102