A new white paper by Vasco – Open Banking APIs under PSD2: Security Threats and Solutions – looks at some of the security threats that will come into play when European banks begin to allow access to communication interfaces from third party providers (TPPs), under the Revised Payments Services Directive (PSD2). The research looks at the requirements for the communication interface as defined in the draft regulatory technical standards (RTS) and how banks can protect their interfaces from security threats.
Key security threats for APIs
Some of the key security threats that banks could face when they allow third party access to customer account data could include the following:
- Leakage of financial information of users. This kind of security breach could arise from vulnerabilities in the application programme interface (API) or compromised or malicious TPP leaking financial information obtained from bank.
- Fraudulent financial transactions via the API. An API vulnerability could lead to a man-in-the-middle attack and manipulation of transaction data. There could also be compromised or malicious TPPs issuing fraudulent transaction requests.
- Unavailability of API. The API could be compromised and the quality of service for users could be affected or users could be locked out of the service.
The potential business impacts of these security problems include:
- legal liability (e.g. GDPR fines);
- reputational damage
- financial loss;
- contractual liability; and
- negative impact on users.
CTMfile take: This white paper is detailed and useful for anyone wanting to get a grip on the security threats that could arise under PSD2
PSD2 and SCT Inst will catalyse big shift in European payments
Instant Payments are set to overtake online card payments in Europe – and the date when Instant Payments become mainstream is much closer than you might think
PSD2 and jargon explained
European Payments Council infographic shows why Payment Services Directive (PSD2) was created, the main changes, who is who, possible roles, and the likely calendar. It will change your life
PSD2: questions raised by corporate payment SCA exemption
The latest opinion published by the EBA on the revised Payments Services Directive (PSD2) raises questions on how some corporate payments will be exempt from Strong Customer Authentication