Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
PSD2 – The second EU Payment Services Directive – is set to open up and expand the range of financial services offerings and organisation types way beyond the traditional banks. As a directive the payment services rules are defined by the EU but must be implemented by member states in either local legislation or regulations.
In the case of the finance sector, which is highly regulated anyway, the European Banking Authority (EBA) has translated PSD2 into defined security management requirements centrally. The EBA has published sets of regulations that define the requirements around operational and security risk, the management and reporting of incidents and the mechanisms for authentication and connection security. These can be found at:
Although they don’t exactly make easy bedtime reading they do impose a set of security obligations for businesses that will have access to the banking systems (through open banking APIs) or who are conducting account information or payment initiation services.
For new Fintech start-ups, or existing smaller service businesses, these are most likely to be a useful set of security provisions; although as with any imposed regulatory standard, it might be viewed as somewhat overkill and a cost on doing business.
However for larger, established banks or major retailers, they could be no worse than pre-existing security requirements or expected norms; so they might for instance be viewed as running in parallel to PCI-DSS requirements on credit card information and hence a matter of ensuring compliance to the new sets of standards as an ability to demonstrate existing practices and safeguards; rather than being something that requires new controls or governance processes.
In the section below we will talk briefly about the first of these documents – Guidelines on the Security measures for operational and security risks.
The EBA guidelines don’t pose any particularly new challenges for organisations that have an existing Information Security Management System (ISMS) in place.
The core structure (as seen in our infographic on this page) follows established principles of risk assessments, control frameworks and monitoring and assurance activities around these. An approach commonly referred to as a PLAN-DO-CHECK-ACT management system. Specifically the documents present the 9 guidelines as summarised below (If you don’t want to have to read through them, just skip ahead to our views and observations) :
At first glance these requirements are fairly standard “security management” good practices. However, there are some nuances due to the relative newness around things like behaviour anomaly detection and threat intelligence. These are perhaps, more recent control safeguards or “good practices” that have been added to the cyber security fold since the last cycle of some more established standards. There is hopefully very little in these requirements that a large/medium/small bank or retailer is not already doing. To answer our initial question then – most definitely a case of evolution in terms of security and compliance management.
Where this set of guidelines might have more impact is within smaller businesses that are registering as PSD2 service providers – EITHER small FinTech start-ups (where the entirety of their business model relies on the PSD2 and open banking frameworks) OR established businesses that are now able to augment existing services and products with the provision of payment services (perhaps a retailer or service provider that will handle small payments directly rather than using a card scheme).
For businesses in these categories security may not have been as large a factor in the design of their businesses, systems and applications as perhaps it should be. Here, we may see the adoption of EBA guidelines as more of a revolution in the approach to security.
While they might carry liability for a resultant fraud, the size and resources of smaller businesses may simply mean that there isn’t space on the balance sheet to provide redress, refunds or compensation. A significant exposure in the systems of a smaller AISP or PISP therefore could be highly serious as the security issue rapidly becomes a theft or fraud impact.
Insurance, a requirement of being part of the PSD2 regulated payment community, is also unlikely to pay out to cover losses if security controls were found to be lax or missing.
While the presence of security guidelines for payment and information providers under PSD2 is a good thing for consumers and banks, it does not mean that smaller businesses, start-ups or non-FS businesses providing financial services will have adequate security to match the risk they could face (or cause).
For the providers themselves the EBA guidelines do give them a useful best practice yardstick against which to define and measure security effectiveness. So there is hope that this new world of payment processing and open banking will be robust and trustworthy at a systemic level. As long as security gets the attention it deserves.
As to whether these guidelines represent evolution or revolution… it rather depends on what security maturity and cyber readiness you already have in place when your PSD2 services are launched.
To discover the cyber security implications of PSD2, go to our PSD2 web page.
You can also download our Infographic:
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.