Is Your Online Banking Data Safe? A Thorough Overview Of PSD2 SCA

online banking data safety psd2 sca compliant European Union

We all use online banking, right? If you are living in the EU or EEA states (including Iceland, Lichtenstein, and Norway), if you have a bank account with an EU/EEA-based financial institution, you are probably using online or mobile banking. PSD2 came into play on the 13th of January 2018, which made it compulsory for financial institutions to enable third-party providers (TPPs) - who met PSD2's security requirements - access to the data that was available via these APIs. 

But all of these abbreviations can sound fancy, what actually matters is whether they really work, right? Is your online banking data genuinely safe, or is it just all smoke and mirrors? Let's find out! 

How PSD2 Protects Its Customers 

First, what is PSD2? PSD2 is an EU directive that was adopted a few years back. PSD2 enforces financial institutions to enable access to payment accounts to third-party providers - who meet PSD2's security requirements - via Application Programming Interfaces (APIs). 

How does this directive ensure security?  PSD2 requires that: 

• Authentication and authorization of TPPs is done in a secure and fraud-resistant way (Strong Customer Authentication or PSD2 SCA is used) 

• Transaction and data information is encrypted 

• Bank accounts' access by TPPs is logged (TPPs must establish the identity of users, perform real-time monitoring for unusual activity, and report breaches) 

These requirements are covered in PSD2's Security Requirements, which legislators enforce as part of the legal framework. They also contain other PSD2-related regulations that banks have to follow, e.g. PSD2's governance rules and PSD2's transparency rules. 

What PSD Does Not Protect Its Customers From? 

PSD2 focuses on a lot of things, but it does not focus on PSD2 itself being implemented correctly, which may lead to PSD2-specific vulnerabilities. PSD2 itself is not entirely secure. Obviously - PSD2's Security Requirements cover so much ground that it would be quite illogical to expect 100% security when these requirements are taken separately. 

What PSD seeks to protect its customers from - any TPPs who do not follow PSD2's rules. The directive technical regulations seek to protect customers from third parties who run PSD2-approved services but do not follow PSD2's rules as closely as they should. PSD2 does this by allowing banks to revoke these 3rd party providers' access to their APIs for compliant accounts and transactions. The directive seeks to ensure PSD2-specific vulnerabilities are not exploited, but PSD2 does not seek to protect APIs from itself being implemented incorrectly. 

So, in short, the SCA protects from straight-up fraud, but it does not protect from any unintentional interpretation of rules errors, that might appear on the end of the developer. 

Should You Trust Open Banking And PSD2? 

In short, we're going to say yes, you absolutely should. In any case, PSD2 is a very comprehensive directive, covering many aspects of security and governance in the financial sphere. It is considered the gold standard for the global legislation of open banking. PSD2 changes the way banking works quite significantly for its users, by opening up new ways to do business with banks and shifting towards a services-based economy. This directive seeks to ensure that your data remains under your control at all times. The enforcement of PSD2's Security Requirements in PSD2-specified ways, will ensure the process won't open doors for any entity that might exploit PSD2-specific vulnerabilities. 

In the far future, this technology might be outperformed by even more progressive solutions. But as of right now, PSD2 offers security and transparency miles ahead of what we're used to seeing in online banking. Trust it with ease.

The Lean Startup Life Media Network Newest Blog Posts: