PSD2 Compliance for Mobile Devices: What Banks Need to Know
The moving target of regulatory compliance rarely slows down. Now, banks have yet another target to aim for: PSD2. The European Commission’s Revised Payment Services Directive, PSD2, regulates payment services and payment service providers (PSPs) such as banks. In fact, PSD2 applies to many kinds of businesses that provide electronic and non-cash payments, including mobile and online payments, throughout Europe.
What exactly does PSD2 do? PSD2 lays out “rules for payment services such as credit transfers, direct debits and card payments. These rules include information requirements for payment services providers, as well as rights and obligations linked to the use of payment services.” With one of the stated aims of PSD2 being to “facilitate customer mobility“, PSD2 establishes strict rules relating to security, including mobile device security.
The DNA of Mobile Security
Security for mobile devices differs from that of desktop PCs in numerous ways. At a high level, the key difference is that mobile devices require protection on at least three different attack surfaces: the Device, the Network, and the Apps (DNA). PSD2 reflects the need for multi-vector protection by specifying requirements for device and software integrity, secure communication, and data protection.
In addition, PSD2 requires that that PSPs have mechanisms in place that will minimize the potential harm if a security measure fails. Banks and FinTechs are exploring a range of technologies to meet these requirements, including:
- Containerization (together with rootkit/jailbreak detection mechanisms)
- Hardware security elements
- Anti-malware tools
- Runtime application self-protection (RASP)
- Mobile device analytics / behavior solutions
PSD2 Requires Device and Software Integrity
Device and software integrity for mobile devices has always been a challenge for financial services app developers. Even if developers stick closely to security best practices, such as by writing secure code, using only authorized APIs, carefully vetting libraries, using only least privilege, etc., none of that will suffice if the device on which the app resides is compromised.
The importance of device and software integrity—and the challenge it poses—is underscored when you consider that a mobile device may well be administered exclusively by the end user. That means that the devices are likely to be running an outdated OS, be missing numerous security patches, and to have dated versions of apps—including the bank’s own app.
PSD2 Requires Secure Communications
PSD2 also requires secure communications. This means that banks must ensure that all communications with the device are encrypted. It also means that the bank must have a way to ensure that communication only occurs with authenticated, legitimate sources.
One complicating factor is that mobile users can and do connect to WiFi networks that are unsecured. In some cases, these networks are explicitly designed with malicious intent. For example, the networks may be named so as to trick the user into thinking the network can be trusted. But even if the network is unsecured simply because of lax security on the part of the network provider, that still leaves the door open for man in the middle MITM and other network-based attacks.
PSD2 Requires Data Protection
The ability to use mobile payment methods is a significant convenience. Maximizing that convenience entails the use of the consumer’s financial data in the payment app. That data, along with the user’s personalized security credentials, requires protection. The PSP must provide that protection.
Developers can take a variety of approaches to protecting mobile apps and their data. PSD2 already requires, for example, that apps utilize a separate execution environment from the device. Another approach could be the use of a RASP solution. These methods aim to protect the app and the data the app contains, but are of limited value if the device on which the app resides is compromised.
Zimperium Enables PSD2 Compliance for Mobile Devices
Zimperium’s zIAP enables bank app developers to meet requirements for device and software integrity, secure communication, and data protection, and to meet the requirement for mechanisms to mitigate harm in case of failure.
Zimperium provides a software development kit (SDK) that enables developers to quickly and painlessly embed Zimperium’s machine learning-based detection engine, z9, directly inside any mobile app. With the zIAP SDK embedded, mobile apps can immediately determine if a user’s device is compromised, any network attacks are occurring or if malicious apps are installed. Moreover, developers can specify the remedial action that should apply when a given threat is detected. In short, zIAP is a single solution to meet a host of PSD2 requirements.
If you would like to learn more about the ways Zimperium can help your business meet PSD2 requirements, please contact us here.