Mobile Security & Enterprise Mobility Blog

PSD2 Compliance for Mobile Devices: What Banks Need to Know

The moving target of regulatory compliance rarely slows down. Now, banks have yet another target to aim for: PSD2. The European Commission’s Revised Payment Services Directive, PSD2, regulates payment services and payment service providers (PSPs) such as banks. In fact, PSD2 applies any kind of business providing electronic and non-cash payments, including mobile and online payments, throughout Europe.

PSD2 establishes “rules for payment services such as credit transfers, direct debits and card payments. These rules include information requirements for payment services providers, as well as rights and obligations linked to the use of payment services.” With one of the stated aims of PSD2 being to “facilitate customer mobility“, PSD2 establishes strict rules relating to security, including mobile device security.

Establishing Mobile Security

Security for mobile devices differs from that of desktop PCs. The key difference is mobile devices require protection on at least three different attack surfaces: the device itself, the networks it uses, and the apps installed. PSD2 recognizes the need for multi-vector protection by specifying requirements for device and software integrity, secure communication, and data protection.

In addition, PSD2 requires PSPs have mechanisms in place that will minimize the potential harm[1] if a security measure fails. Banks and FinTechs are exploring a range of technologies to meet these requirements, including:

  •       Containerization (together with rootkit/jailbreak detection mechanisms)
  •       Hardware security elements
  •       Anti-malware tools
  •       Runtime application self-protection (RASP)
  •       Mobile device analytics / behavior solutions

PSD2 Requires Device and Software Integrity

Device and software integrity[2] for mobile devices will continuously challenge financial services app developers. Even if developers adhere to security best practices, such as writing secure code, using only authorized APIs, carefully vetting libraries, using only least privilege, etc., none of that will suffice if the device or operating system on which the app resides is compromised.

The importance of device and software integrity—and the challenge it poses—is underscored considering a mobile device may be administered exclusively by the end user. That means devices are likely to be running an outdated OS, be missing numerous security patches, and have dated versions of apps—including the bank’s own app.

PSD2 Requires Secure Communications

PSD2 also requires secure communications[3]. Banks must ensure all communications with the device are encrypted. It also means the bank must have install measures ensuring communication only occurs with authenticated and legitimate sources and not be intercepted by a third-party.

One complicating factor is that mobile users can and do connect to unsecured WiFi networks. In some cases, these networks are explicitly designed with malicious intent. For example, a network may be named to trick the user into trusting the network. If the network is unsecured simply because of lax security on the part of the network provider, it still leaves the door open for man in the middle MITM and other network-based attacks.

PSD2 Requires Data Protection

The ability to use mobile payment methods is a significant convenience. Maximizing that convenience entails the use of the consumer’s financial data in the payment app. That data, along with the user’s personalized security credentials, requires protection. The PSP must provide that protection.

Developers can take a variety of approaches to protecting mobile apps and user data. PSD2 already requires, for example, apps utilize a separate execution environment from the device[4]. Another approach could be the use of a RASP solution. These methods aim to protect the app and the data the app contains, but are of limited value if the device on which the app resides is compromised.

Zimperium Enables PSD2 Compliance for Mobile Devices

Zimperium’s zIAP enables bank app developers to meet requirements for device and software integrity, secure communication, and data protection, and to meet the Strong Customer Authentication requirement for mechanisms to mitigate harm in case of failure.

Zimperium provides a software development kit (SDK) enabling developers to quickly and painlessly embed Zimperium’s machine learning-based detection engine, z9, directly inside any mobile app. With the zIAP SDK embedded, mobile apps can immediately determine if a multi-use device is compromised, any network attacks are occurring or if malicious apps are installed. Moreover, developers can specify local remediations actions to mitigate risk when a threat is detected. In short, zIAP is a single solution to meet a host of PSD2 requirements.

Contact us today for help complying with PSD2, review the zIAP documentation or view our summary video on what PSD2 means for your mobile app.

 

[1] PSD2. Article 9. Independence of the elements. Section 2 and Section 3 (b), (c). “Payment service providers shall adopt security measures …to mitigate the risk which would result from that multi-purpose device being compromised. Mitigating measures include mechanisms to ensure that the software or device has not been altered by the payer or by a third party and that, where alterations have taken place, mechanisms to mitigate the consequences thereof.”
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC
[2] PSD2. Article 9. Independence of the elements. Section 2 and Section 3 (b), (c). “Payment service providers shall adopt security measures …to mitigate the risk which would result from that multi-purpose device being compromised. Mitigating measures include mechanisms to ensure that the software or device has not been altered by the payer or by a third party and that, where alterations have taken place, mechanisms to mitigate the consequences thereof.”
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC
[3] PSD2. Paragraph 26. “In order to safeguard the confidentiality and the integrity of data, it is necessary to ensure the security of communication sessions between account servicing payment service providers, account information service providers, payment initiation service providers and payment service providers issuing card-based payment instruments.”
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC  
[4] PSD2. Article 9. Independence of the elements. Section 3 (a). “Mitigating measures include … the use of separated secure execution environments through the software installed inside the multi-purpose device.”
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC