When it comes to compliance, you’re never truly done. The environments you’re tasked with securing and auditing continue to evolve, and so do the standards and deadlines you have to meet. The EU’s Payment Service Directive 2 (PSD2) is a current case in point. The directive had several goals, including standardizing rules around payment services, opening up payment markets to competition, and increasing the protection of consumers and their data.
The regulation applies to payment service providers (PSPs) such as banks, processors, and FinTechs, as well as merchants that process e-commerce transactions. It is also important to recognize that it applies to any of these organizations that serve EU citizens.
While the directive took effect in 2018, the EU commission has given organizations extra time to implement some of these rules. The deadline for addressing the requirement for establishing strong customer authentication for e-commerce transactions will be taking effect on March 14, 2022.
In the sections below, we’ll offer some key takeaways for teams that have to comply with PSD2.
PSD2 Can Introduce More Data Sharing, Potential for More Risk
In order to foster increased competition, the directive offered rules around the need to “facilitate customer mobility.” One of the direct implications of this is that banks are required to share customers’ current and historical data with third parties, provided the customer offers their consent. In this way, customers will be able to more easily change banks or work with a third party, for example, a FinTech’s mobile app so they can manage multiple banking accounts.
This standard has significant implications for mobile security: Increasingly, mobile apps will represent a common way for banks to share data and for customers to access and manage this information.
Ultimately, this portability and data sharing will lead to a fundamental reality: Sensitive customer data will be stored, processed, and transmitted by more mobile apps and systems—inherently expanding the potential attack surface. If mobile apps and associated backend systems aren’t secured, the risk of data exposure will grow.
Establishing Mobile Security
Security for mobile devices differs fundamentally from that of desktop PCs. The critical difference is mobile devices require protection on at least three different attack surfaces: the device itself, the networks it uses, and the apps installed. PSD2 recognizes the need for multi-vector protection by specifying requirements for device and software integrity, secure communication, and data protection.
In addition, PSD2 requires PSPs have mechanisms in place that will minimize the potential harm if a security measure fails1:
Payment service providers shall adopt security measures …to mitigate the risk which would result from that multi-purpose device being compromised.
Banks and FinTechs are exploring a range of technologies to meet these requirements, including:
- Containerization (together with rootkit/jailbreak detection mechanisms)
- Hardware security elements
- Anti-malware tools
- Runtime application self-protection (RASP)
- Mobile device analytics and behavior solutions
PSD2 Requires Device and Software Integrity
For many mobile app developers, ensuring device and software integrity will be a constant challenge. Even if developers adhere to security best practices, such as writing secure code, using only authorized APIs, carefully vetting libraries, using only the least privilege, and so on—all of that won’t suffice if the device or operating system on which the app resides is compromised.
The challenges of ensuring device and software integrity are underscored by the fact that many mobile devices will be solely administered by the end-user. That means devices are likely to be running an outdated OS, be missing numerous security patches, and have dated versions of apps.
PSD2 Requires Secure Communications
PSD2 also requires secure communications2:
In order to safeguard the confidentiality and the integrity of data, it is necessary to ensure the security of communication sessions between account servicing payment service providers, account information service providers, payment initiation service providers, and payment service providers issuing card-based payment instruments.
Teams must ensure all communications with the device are encrypted. They must also employ measures to make sure communication only occurs with authenticated and legitimate sources and is not intercepted by a third party.
One complicating factor is that mobile users can and do connect to unsecured WiFi networks. In some cases, these networks are explicitly designed with malicious intent. For example, threat actors may give a network a display name that tricks the user into believing it is trustworthy. Further, even if a person uses a legitimate network, but that network isn’t effectively secured, it still leaves the door open to man-in-the-middle (MITM) and other attacks.
PSD2 Requires Data Protection
The ability to use mobile payment methods is a significant convenience. Maximizing that convenience entails the use of the consumer’s financial data in the payment app. That data, along with the user’s personalized security credentials, requires protection. The PSP must provide that protection.
Developers can take a variety of approaches to protect mobile apps and user data. For example, one of the mitigating measures PSD2 outlines is “the use of separated secure execution environments through the software installed inside the multi-purpose device.”3 Another approach could be to use a RASP solution. These methods aim to protect the app and the data the app contains, but are of limited value if the device on which the app resides is compromised.
Zimperium Enables PSD2 Compliance for Mobile
Fundamentally, if you build mobile apps, particularly apps that process the data of EU citizens, you want to make sure you’re ready to adapt to the latest PSD2 requirements. To comply with PSD2, you will need to establish stringent mobile app security standards.
The good news is that Zimperium can help.
Zimperium’s zDefend enables mobile app developers to meet requirements for device and software integrity, secure communication, and data protection. Further, with the solution, you can address PSD2’s strong customer authentication requirements, which are vital in mitigating the risk posed by failures elsewhere in the security ecosystem.
Zimperium provides a software development kit (SDK) that makes it fast and easy for developers to embed Zimperium’s machine learning-based detection engine, z9, directly inside any mobile app. With the engine embedded, mobile apps can immediately determine if a multi-use device is compromised, if any network attacks are occurring, and if malicious apps are installed. Moreover, developers can specify local remediation actions to mitigate risk when a threat is detected. In short, zDefend is a single solution to meet a host of PSD2 requirements.
 EU, “Commission Delegated Regulation (EU) 2018/389 of 27 November 2017,” Article 9. Independence of the elements. Section 2 and Section 3 (b), (c). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC
 EU, “Commission Delegated Regulation (EU) 2018/389 of 27 November 2017,” Paragraph 26. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC
 EU, “Commission Delegated Regulation (EU) 2018/389 of 27 November 2017,” Article 9. Independence of the elements. Section 3 (a). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2018.069.01.0023.01.ENG&toc=OJ:L:2018:069:TOC