It's no secret that customers today are demanding significantly more from their banks. For example, they now expect a fully digital and seamless experience across all channels through which the customer interacts with the bank, whether that’s for purchasing an item online or taking out a loan.
At the same time, regulations are placing far more importance on security than ever before which, combined with the relentless threat of fraud and cyberattacks hanging over banks, means ensuring customer security can’t be anything other than a top priority.
This is especially true in light of the Second Payment Services Directive (PSD2), which presents some additional security challenges for financial institutions to consider. PSD2 builds on previous legislation by increasing customer rights in areas such as complaints handling and currency conversion, enhancing security through Strong Customer Authentication (SCA) and enabling third-party access to account information.
So, with these new considerations in mind, what security measures should banks and financial institutions put in place to achieve compliance with PSD2? Here are five of the most important.
1. Strong Customer Authentication
When it comes to delivering a secure and compliant banking experience, intelligent authentication is vital. Intelligent authentication assesses the risk level of a transaction based on disparate data – such as transaction details, customer behaviour and device integrity – to determine what level of authentication is required.
To meet the SCA requirements of PSD2, authentication must be based on two or more of the following factors: knowledge (e.g. passwords or PINs), possession (e.g. tokens or mobile devices), and inherence (e.g. biometrics).
Exemptions to SCA are permitted for low-risk transactions, so intelligent adaptive authentication which adjusts the authentication steps according to an assessment of the risk level can result in a more convenient user experience. It ensures that customers aren’t limited to an inconvenient authentication method (e.g. receiving an SMS when they don’t have mobile signal) and enforces the right level of authentication for each individual situation.
2. Transaction monitoring
PSD2 mandates the use of transaction monitoring to deter fraudulent payments and prevent threats like account takeover, new account fraud, and mobile fraud. Financial institutions must also be able to demonstrate the effectiveness of their monitoring systems to auditors and regulators.
Mobile, application and transaction data is analysed in real-time to detect known and emerging fraud types in the online and mobile banking channels, whether through machine learning, more traditional rule-based systems or a combination of the both. This analysis produces a transaction risk score, which can then drive intelligent workflows that trigger immediate action based on pre-defined and/or customer-defined security policies and rules.
By taking into account a number of risk-based factors – including known fraud scenarios, malware infection detection and the transaction amount – transaction risk analysis enables banks to achieve compliance, better protect their customers, and reduce their operational costs.
3. Replication Protection
What has become clear is that cybercriminals are now investing more time and money than ever in attacking the mobile channel. As such, where an authentication factor is the possession of a mobile device, PSD2 mandates the use of countermeasures in apps to prevent the replication of the authentication factor.
The use of mobile application shielding technology protects apps from the inside out and strengthens their resistance to threats such as intrusion, tampering, reverse-engineering and malware – only denying service when absolutely necessary.
This mitigates the risk of apps operating in untrusted and potentially hostile environments without interrupting the user experience – which is, of course, a crucial factor as customer expectations continue to increase.
4. Dynamic Linking
This has been one of the most discussed requirements of PSD2. For payment transactions, the payer must be aware of the amount and recipient of the transaction and the authentication code must be dynamically linked to these details.
It was introduced to counter man-in-the-middle attacks, whereby an adversary alters the details of a transaction after the payer has authenticated it. Such an attack could result in a genuine transfer of £100 to a friend turning into a rogue transfer of £1000 to an imposter, without the genuine payer noticing.
Although the use of dynamic linking raises some critical issues for banks and financial institutions, such as how it can be implemented conveniently for customers and whether SMS can be used, it is a fundamental aspect of PSD2 and can’t afford to be overlooked.
5. Independent Elements
The number of banking Trojans targeting users of mobile devices doubled in 2018, which is one of the reasons why payment providers must adopt proactive security measures to mitigate the risks resulting from compromised mobile devices.
Payment providers must ensure that the breach of one authentication factor does not compromise another factor. This is particularly a concern for mobile devices, which may handle multiple authentication factors.
For example, application shielding with runtime-protection can mitigate the risk resulting from compromised mobile devices by securing the way it is deployed to online stores and strengthening the way the platform interacts with the application.
Ultimately, ensuring security is no easy task in today’s threat landscape. But, by keeping these five criteria in mind, banks and financial institutions can put themselves in the best possible position to protect their customers and remain compliant with PSD2 regulations.
Steven Murdoch, Chief Security Architect at OneSpan's Cambridge Innovation Centre