Will PSD2 prove to be a cyber security nightmare for banks?
11 September 2017 |
In 2018, the PSD2 (Revised Payment Service Directive) comes into force and while it will break a bank’s monopoly over a customer’s account, the security implications cannot be ignored.
Payment services and banks have long enjoyed complete control over how customers have checked and maintained their financials. However, with the new banking regulation in 2018, the status quo is set to change. Being put in place by the EU, PSD2 hands over control of how payments are made online and what information the customer sees on the screen, to the customer.
So, once it comes into force, merchants like Amazon, Debenhams or even Ikea will be able to get in touch with our banks to directly take payment from them bypassing the likes of third-party products like Visa/Mastercard and PayPal.
But while banks will be scrambling to make sure the security of systems working in the background are robust, it will make competition in the area more pronounced. And while the monopoly is set to break, the idea that the likes of Facebook, Google and Twitter being used as dashboards to access financial information must send banks into a tizzy about the security structure. The statement by Hazel Moore, co-founder and chairman of FirstCapital that according to a recent survey, around 73 per cent of millennials would prefer to use Google or Amazon for banking and 33 per cent do not see the need for a bank at all, must give bankers sleepless nights!
READ MORE: Understanding the social engineering threat
Andrew Whaley, VP Engineering at Arxan said: "Imagine if Facebook had the option to display your balance! It would request the details from your bank or building society and your bank, in turn, will have to be satisfied it is definitely you. The only way to ensure this would be to use either 2-factor authentication or tokens.
"The bank could then use either of these methods to grant permission to the entity operating the dashboard. This way Facebook gets that information and the customer is able to manage the mandate. However, there are many issues around this- principally that the authenticator app could be compromised.
"The position of the banks in this instance is of great dilemma. Upon providing many third parties like Facebook to access data, they have no control over what Facebook do with that data. There are many questions on security like what happens when a customer's Facebook profile gets hacked? The mechanism exists outside of the control of the bank so it is a very scary situation.
"Banks spend a huge amount of money and resources on IT security and are generally very good at it. Introducing PSD2 basically introduces a risk factor and so banks should (and would) certainly think twice about it.
"Standards will have a big role to play- banks will almost definitely mandate that any outside actors who wish to use customer account information will have to have the same/similar security structures and precautions in place as the banks themselves. Application hardening to protect end point could well be in the contract!
"We need to remember that in this instance, power will come with responsibility. We will also see that startups will come along and although they will not be experts in app security and have no resources to have security at the level as banks, they will want to make a quick buck off it.
"We will see some unfortunate instances..."
2018 is set to be a game-changing year for retail banking. And while PSD2 will (no doubt) be welcomed by consumers, it could potentially escalate to be a headache for banks.
While onus will ultimately be on the consumer to select the best business to handle their payment and accounts, the new EU directive opens the door to more competition in the market and hopefully, a thrust to making the public more aware of the importance of robust security measures on their accounts.
Bill Gates' words seem almost prophetic now: Banking is necessary, banks are not.
Latest posts by Sunetra Chakravarti (see all)
- Data breaches reach all-time high as new environments create more attack surfaces - 7th February 2018
- Petya, NotPetya, Good Rabbit, Bad Rabbit… the rise of ransomware - 2nd February 2018
- Pharmaceutical industry and GDPR: What to do next - 31st January 2018
- TEISS2018: On the internet, nobody knows you are a fridge - 30th January 2018
- Why does a privilege account breach translate to ‘game over’ for a business? - 26th January 2018