APIs under PSD2: Mitigating the Risk
Digital transformation is fully underway. With GDPR and PSD2 regulations in force, 2018 is certainly a year of significant changes. These EU regulations have a major impact on the processes and information systems that organisations have in place and businesses are facing the reality of complying with the requirements of these regulations.
What is PSD2 & Why Does It Matter?
The Payment Services Directive (PSD) regulates payment services and payment service providers in the EU. A revised directive called PSD2 came into effect on the 13th of January 2018 - designed to create a single and efficient market for payments, this update included new rules that protect and promote ‘open banking’ via online and mobile payments, which allows bank customers to use third-party providers (TTPs) to manage their finances.
PSD2 increases competition within the EU by allowing non-banks to participate in the payments industry while also presenting an opportunity for financial organisations to revolutionise their architecture, unlock valuable backend data and accelerate their digital transformation.
Until recently, banks could control the entire banking experience, via a “closed” system and while this model kept all processes and technology components under enterprise control, it proved to be incompatible with the changes in regulatory requirements, and in customers’ preferences for a unique, personalised banking experience.
Banks are now required to:
- Initiate a financial transaction from an account of a customer of the bank. The TPP needs consent from the user to perform the latter two functions.
- Provide an online communication interface that allows TPPs to identify themselves to the bank, to request and receive information about bank accounts and financial transactions of customers of the bank
Banks can offer this interface in two ways:
- Dedicated Interface – The bank develops a new interface specifically to support TPPs
- Customer Interface - The bank reuses an interface that it already offers to its users
Technology’s Role -APIs
Security technologies such as Identity Access Management (IAM) and Application Programming Interfaces (APIs) are required to meet the demands outlined in PSD2 and these will be essential to ensure that this regulation is applied and implemented in the right way.
- 88%of banks surveyed by CA Technologies think internal APIs are essential for regulation and compliance, back-office systems management and for leveraging big data.
- An API is a software that allows two applications to interact with each In other words, it is the messenger that sends a request to the provider then delivers the response back to you.
By leveraging an API-driven platform, banks can increase customer satisfaction, expand into new markets, future-proof their IT infrastructures and accelerate time to market of new products and services.
APIs represent a great opportunity for businesses to integrate applications quickly and easily, but with the good comes the bad, APIs promise agility, while at the same time increase risk.
The Inherent Risks
The introduction of PSD2 caused a lot of concern within the banking industry due to the inevitable security risks associated with APIs.
The problem with APIs is that they provide insight into the internal database structure that would otherwise be buried under layers of web app functionality. This can give hackers valuable clues that could lead to attack vectors they might otherwise overlook.
There are three main attack vectors that hackers target most frequently with APIs. Understanding these will help to build safer APIs.
- Parameters - These attacks exploit the data sent into an API, including URL, query parameters, HTTP headers and post content.
- Man-in-the-Middle - These attacks intercept legitimate transactions and exploit unsigned or unencrypted data being sent between the client and the server. They can uncover confidential information such as personal data, alter a transaction in flight, or even replay legitimate transactions.
- Identity - Identity attacks exploit flaws in authentication, authorisation, and session tracking. Most of these are the result of migrating bad practices from the web world into API development.
Openness and security are two contrasting priorities. API design is a balancing act between the two. How do you open up your application and integrate with the outside world without risking your security?
CA is the Answer
Although APIs are vulnerable to a broad range of attacks CA Technologies advise that implementing five simple mitigation strategies will allow an organisation to securely publish APIs.
- Validate Parameters - The single most effective defence against parameter manipulation and injection attacks is to validate all incoming data against a strict schema which is effectively a description of what are considered permissible inputs to the system.
- Apply Explicit Threat Detection - Apply virus detection to all potentially risky encoded content. Consider explicit scanning for common attack signatures and be aware that attacks may take other forms, such as DoS. Leverage networking infrastructure to spot and mitigate network-level DoS assaults, but also check for DoS attacks that exploit parameters.
- Turn on SSL Everywhere - Adding SSL/TLS and applying this correctly is an effective defence against the risk of man-in-the-middle attacks as SSL/TLS provides integrity on all data exchanged between a client and a server.
- Apply Rigorous Authentication and Authorisation - OAuth is quickly becoming the go-to resource for user-centric API authorisation, but it remains a complex, rapidly changing, and difficult technology. Developers should defer to the basic, well-understood OAuth use cases and always use existing libraries rather than trying to build their own.
- Use Proven Solutions - The first rule of security is: Don’t invent your own. There is no reason to create your own API security framework, as there are excellent security solutions that already exist for APIs. The challenge lies in applying them correctly.
CA API Management
CA API Management provides the connectivity to meet PSD2 requirements for open communication it provides the capabilities you need to create, secure, and manage them, which is essential to addressing the digital transformation challenges of ‘Open Banking’.
With CA API Management, you can simplify API management and accelerate time to market of new applications, it enables you to deliver security without sacrificing user experience all of which can lead to increased revenue.
Learn more about CA’s API Management solution here.
PSD2 by ways of open APIs will also encourage banks to extend their innovative services which will grow the market further.
If an organisation can address API security as an architectural challenge long before any development takes place, it can reap the rewards of this technological breakthrough safely and securely.
If you would like to learn more about securing APIs or to discover how CA Technologies can ignite your PSD2 strategy feel free to contact us