View
3.093
Download
1
Category
Preview:
Citation preview
PSD2 + AUTHENTICATION
From requirements to implementation
Speakers
Markku Mehtälä
CEO of MePIN / Meontrust
Mikko Nurmi
Manager, IAM Consulting at Nixu CISSP
Companies
● European cybersecurity company, offices in Finland and Netherlands.
● We work to improve our clients cybersecurity in solution areas of Corporate IT, Digital Business and Industrial Internet.
● Services include consulting, implementation projects and continuous services.
● Meontrust Inc - Mobile authentication specialist company
● Helping banks, telecom operators and other consumer online services to secure their services and end users
● MasterCard Start Path company, customers and partners globally
AGENDA
Brief presenter introduction
PSD2 overview and requirements
PSD2 and API Security
PSD2 and strong authentication
Q&A
1.2.3.4.5.
PSD2 overview and requirements
PSD2 timeline
2013 2014 2015 2017
European Commission proposes to
review the PSDPreparations
EU parliament agrees to the
revised directive Law comes into
force in Member States + 24 kk
2016
EBA's technical PSD2 recommendations
EBA's guidelines for e-payments
19.12.2014
ECB's recommendations
for e-payments 31.1.2013
1.8.2015
Main PSD2 objectives● Contribute to a more integrated and efficient
European payments market ● Improve the level playing field for payment
service providers (including new players)● Make payments safer and more secure● Protect consumers● Encourage lower prices for payments
Source: http://europa.eu/rapid/press-release_MEMO-15-5793_en.htm?locale=en
In practice the directive concerns almost all sorts of e-payments, not just online payments!
PSD2 widens the scope: new services and new players
• Telecom operators ● Physical products and services purchased
through a telecom operator
• Payments outside the EU● PSP must provide the customer clear
information about prices and payment terms● PSP operating in the EU has a responsibility
in international payments
New and changing roles in the value chain
• Account Servicing Payment Service Provider (ASPSP)● Consumer's bank, current issuer
• Payment Initiation Service Provider (PISP)● Initiates the payment process, seller or PSP
• Account Information Service Provider (AISP)● Consolidates customer's data, ”cross-bank”● AISP can be a totally new actor
PSD2 defines interfaces between various actors and opens up the value chain for new actors!
E-payments value chain
Seller Acquirer:Worldpay,
Bank,...
Card company
Customer
Payment enabled by PSD2
Card payment today
MoneyAuthentication
MoneyCard details
Seller,PSP
(PISP)
CustomerCustomer's
bank(ASPSP)
Issuer:Customer's
bank
Acce
ss to
ac
coun
ts (X
S2A)
Notes about PSD2 payments• PSD2 expands the reach of online payments
● As many as 60% of the European consumers don't own a credit card
• PSD2 simplifies online payments● Potentially less players in the value chain● Potential savings to merchants and consumers
● New entrants may enter the payment market● PSD2 accelerates competition in payment services● ASPSPs must open APIs to other PSPs
E-banking transactionsTransactions enabled by PSD2E-banking today
Account informationAuthentication
CustomerCustomer Bank 2
Bank 3
Bank 1
Bank 2
Bank 3
Bank 1
AISP• Consolidates information into one service• Potential disruption point
AISP
Acce
ss to
acc
ount
s (X
S2A)
Notes about AISP
● AISP can have a significant position in the PSD2 world
● A customer can get all bank services from one place
● The whole of banking data can be collected into one place
● A good chance to create added value:
”cross-bank”, ”cross-product”, ”cross-sell”
€ € €
Responsibility of the PSP
● Strong customer authentication ● Must include elements linking the authentication
to a specific amount and payee (dynamic code)
● User privacy● PSP must protect users’ personalised security
credentials.
● PSPs are required to find evidence against fraud● If the customer denies a payment transaction, PSP is
obliged to provide proof - or refund
PSD 2 AND API SECURITY
PSD2 – webinar 10.12.2015
10.12.2015 © Nixu 15
10.12.2015 © Nixu 16
API Economy
MyData
PSD2
TECHNOLOGY FORECAST
10.12.2015 © Nixu 17
BankAccount Serving PSP
BankAccount Serving PSP
Third party service
Payment Initiation PSPThird Party Provider
Third party service
Payment Initiation PSPThird Party Provider
HTTPHTTP
SSLSSL
RESTREST
JSONJSON
APIAPI
SECURE ACCESS – GOOD CUSTOMER EXPERIENCESECURE ACCESS – GOOD CUSTOMER EXPERIENCE
Customer authorizes third party service to act on behalf of her or him.
An explicit consent from user needs to be received.
One-time or frequent access.
User must be able to cancel given authorization any time.
Authorization needs to be fine grained and user needs to understand the scope.
Confidentiality of customers’ credentials.
No complicated enrolment for third party providers.
PSD2 REQUIREMENTS FOR ACCESS CONTROL
10.12.2015 © Nixu 18
10.12.2015 © Nixu 19
OAuth 2
Proven and open access management standard, which supports delegated access on behalf of
resource owner.
OAUTH 2 DELEGATED ACCESS
10.12.2015 © Nixu 20
Think valet keys.
Photo: Marcel Moreau
PROVEN OPEN STANDARD
10.12.2015 © Nixu 21
EXISTING RECOMMENDATIONS:HM TREASURY AND CABINET OFFICE
10.12.2015 © Nixu 22
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/382273/141202_API_Report_FINAL.PDF
OAUTH 2: TRUST BETWEEN PARTIES
10.12.2015 © Nixu 23
BankAccount Serving PSP
BankAccount Serving PSP
Third party service
Payment Initiation PSPThird party provider
Third party service
Payment Initiation PSPThird party provider
Client idShared secret
OAUTH 2: SIMPLIFIED USE SCENARIO
10.12.2015 © Nixu 24
BankAccount Serving PSP
BankAccount Serving PSP
Third party service
Payment Initiation PSPThird party provider
Third party service
Payment Initiation PSPThird party provider
• Strong authentication• Approval of scope
• Customer never shares credentials
• “Valet key”
Delegated access to API’s
Expect technical recommendations to be available during spring.
Any ongoing architecture or technology projects should already consider coming API requirements.
OAuth 2, although not yet proposed or decided, is at least a good choise for API access managemet.
Understand that OAuth 2 is not a strict standard:– Maturity in different access management products varies.– Secure implementation requires skills and experience.
WHAT NEXT?
10.12.2015 © Nixu 25
www.nixu.com
/nixuoy
@nixutigerteam
/company/nixu-oy© Nixu
PSD2 and strong authenticationHow does MePIN comply with PSD2 requirements?
Strong authentication on any channel
Auth APIOnline service
Authenticate and authorize with your personal device
MePIN server
PKI
Access anywhere
1.
STRONG CUSTOMER AUTHENTICATION
MePIN feature:
Strong PKI authentication + biometrics or PIN
2.
DYNAMIC LINK TO A SPECIFIC AMOUNT AND PAYEE
MePIN feature:
Show and sign each payment transaction
3.
ACCESS TO PAYMENT ACCOUNT INFORMATION FOR THIRD PARTIES (XS2A)
MePIN feature:
Out of band authorization of account access
4.
ENSURE USER PRIVACY
MePIN feature:
Tokenization of the user
5.
PSPs ARE REQUIRED TO FIND EVIDENCE AGAINST FRAUD
MePIN feature:
Non-repudiation and proof with digital signatures
THANK YOU
Recommended