PSD2 + authentication - From requirements to implementation

PSD2 + AUTHENTICATION

From requirements to implementation

Speakers

Markku Mehtälä

CEO of MePIN / Meontrust

Mikko Nurmi

Manager, IAM Consulting at Nixu CISSP

Companies

● European cybersecurity company, offices in Finland and Netherlands.

● We work to improve our clients cybersecurity in solution areas of Corporate IT, Digital Business and Industrial Internet.

● Services include consulting, implementation projects and continuous services.

● Meontrust Inc - Mobile authentication specialist company

● Helping banks, telecom operators and other consumer online services to secure their services and end users

● MasterCard Start Path company, customers and partners globally

AGENDA

Brief presenter introduction

PSD2 overview and requirements

PSD2 and API Security

PSD2 and strong authentication

Q&A

1.2.3.4.5.

PSD2 overview and requirements

PSD2 timeline

2013 2014 2015 2017

European Commission proposes to

review the PSDPreparations

EU parliament agrees to the

revised directive Law comes into

force in Member States + 24 kk

2016

EBA's technical PSD2 recommendations

EBA's guidelines for e-payments

19.12.2014

ECB's recommendations

for e-payments 31.1.2013

1.8.2015

Main PSD2 objectives● Contribute to a more integrated and efficient

European payments market ● Improve the level playing field for payment

service providers (including new players)● Make payments safer and more secure● Protect consumers● Encourage lower prices for payments

Source: http://europa.eu/rapid/press-release_MEMO-15-5793_en.htm?locale=en

In practice the directive concerns almost all sorts of e-payments, not just online payments!

PSD2 widens the scope: new services and new players

• Telecom operators ● Physical products and services purchased

through a telecom operator

• Payments outside the EU● PSP must provide the customer clear

information about prices and payment terms● PSP operating in the EU has a responsibility

in international payments

New and changing roles in the value chain

• Account Servicing Payment Service Provider (ASPSP)● Consumer's bank, current issuer

• Payment Initiation Service Provider (PISP)● Initiates the payment process, seller or PSP

• Account Information Service Provider (AISP)● Consolidates customer's data, ”cross-bank”● AISP can be a totally new actor

PSD2 defines interfaces between various actors and opens up the value chain for new actors!

E-payments value chain

Seller Acquirer:Worldpay,

Bank,...

Card company

Customer

Payment enabled by PSD2

Card payment today

MoneyAuthentication

MoneyCard details

Seller,PSP

(PISP)

CustomerCustomer's

bank(ASPSP)

Issuer:Customer's

bank

Acce

ss to

ac

coun

ts (X

S2A)

Notes about PSD2 payments• PSD2 expands the reach of online payments

● As many as 60% of the European consumers don't own a credit card

• PSD2 simplifies online payments● Potentially less players in the value chain● Potential savings to merchants and consumers

● New entrants may enter the payment market● PSD2 accelerates competition in payment services● ASPSPs must open APIs to other PSPs

E-banking transactionsTransactions enabled by PSD2E-banking today

Account informationAuthentication

CustomerCustomer Bank 2

Bank 3

Bank 1

Bank 2

Bank 3

Bank 1

AISP• Consolidates information into one service• Potential disruption point

AISP

Acce

ss to

acc

ount

s (X

S2A)

Notes about AISP

● AISP can have a significant position in the PSD2 world

● A customer can get all bank services from one place

● The whole of banking data can be collected into one place

● A good chance to create added value:

”cross-bank”, ”cross-product”, ”cross-sell”

€ € €

Responsibility of the PSP

● Strong customer authentication ● Must include elements linking the authentication

to a specific amount and payee (dynamic code)

● User privacy● PSP must protect users’ personalised security

credentials.

● PSPs are required to find evidence against fraud● If the customer denies a payment transaction, PSP is

obliged to provide proof - or refund

PSD 2 AND API SECURITY

PSD2 – webinar 10.12.2015

10.12.2015 © Nixu 15

10.12.2015 © Nixu 16

API Economy

MyData

PSD2

TECHNOLOGY FORECAST

10.12.2015 © Nixu 17

BankAccount Serving PSP


Third party service

Payment Initiation PSPThird Party Provider

Third party service

Payment Initiation PSPThird Party Provider

HTTPHTTP

SSLSSL

RESTREST

JSONJSON

APIAPI

SECURE ACCESS – GOOD CUSTOMER EXPERIENCESECURE ACCESS – GOOD CUSTOMER EXPERIENCE

Customer authorizes third party service to act on behalf of her or him.

An explicit consent from user needs to be received.

One-time or frequent access.

User must be able to cancel given authorization any time.

Authorization needs to be fine grained and user needs to understand the scope.

Confidentiality of customers’ credentials.

No complicated enrolment for third party providers.

PSD2 REQUIREMENTS FOR ACCESS CONTROL

10.12.2015 © Nixu 18

10.12.2015 © Nixu 19

OAuth 2

Proven and open access management standard, which supports delegated access on behalf of

resource owner.

OAUTH 2 DELEGATED ACCESS

10.12.2015 © Nixu 20

Think valet keys.

Photo: Marcel Moreau

PROVEN OPEN STANDARD

10.12.2015 © Nixu 21

EXISTING RECOMMENDATIONS:HM TREASURY AND CABINET OFFICE

10.12.2015 © Nixu 22

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/382273/141202_API_Report_FINAL.PDF

OAUTH 2: TRUST BETWEEN PARTIES

10.12.2015 © Nixu 23



Third party service

Payment Initiation PSPThird party provider

Third party service


Client idShared secret

OAUTH 2: SIMPLIFIED USE SCENARIO

10.12.2015 © Nixu 24



Third party service


Third party service


• Strong authentication• Approval of scope

• Customer never shares credentials

• “Valet key”

Delegated access to API’s

Expect technical recommendations to be available during spring.

Any ongoing architecture or technology projects should already consider coming API requirements.

OAuth 2, although not yet proposed or decided, is at least a good choise for API access managemet.

Understand that OAuth 2 is not a strict standard:– Maturity in different access management products varies.– Secure implementation requires skills and experience.

WHAT NEXT?

10.12.2015 © Nixu 25

www.nixu.com

/nixuoy

@nixutigerteam

/company/nixu-oy© Nixu

PSD2 and strong authenticationHow does MePIN comply with PSD2 requirements?

Strong authentication on any channel

Auth APIOnline service

Authenticate and authorize with your personal device

MePIN server

PKI

Access anywhere

1.

STRONG CUSTOMER AUTHENTICATION

MePIN feature:

Strong PKI authentication + biometrics or PIN

2.

DYNAMIC LINK TO A SPECIFIC AMOUNT AND PAYEE

MePIN feature:

Show and sign each payment transaction

3.

ACCESS TO PAYMENT ACCOUNT INFORMATION FOR THIRD PARTIES (XS2A)

MePIN feature:

Out of band authorization of account access

4.

ENSURE USER PRIVACY

MePIN feature:

Tokenization of the user

5.

PSPs ARE REQUIRED TO FIND EVIDENCE AGAINST FRAUD

MePIN feature:

Non-repudiation and proof with digital signatures

THANK YOU

Economy & Finance

PSD2 + authentication - From requirements to implementation