PSD2

PSD2

PSD2

Introduction

The revised Payment Services Directive for the European Union (PSD2) aims to increase competition, transparency and innovation on payment markets while enhancing the payment security and reducing fraud.

To achieve this goal PSD2 requires banks to grant third-party providers (TTPs) access to a consumer’s online payment services in a regulated and secure way, with the consumer’s consent. The TTPs can then handle different finance services for consumers.

However, to give access to TTPs, banks will work with open APIs, which need to meet rigorous standards to protect the customers’ accounts.

On the other hand, the TTPs need to provide strong authentication to ensure a higher security level on the use of their applications whenever the customers access accounts information on make payments.

This document explains how CoffeeBean helps its clients achieve these two main points related to authentication and security: open APIs and strong authentication.

PSD2

Introduction

The revised Payment Services Directive for the European Union (PSD2) aims to increase competition, transparency and innovation on payment markets while enhancing the payment security and reducing fraud.

To achieve this goal PSD2 requires banks to grant third-party providers (TTPs) access to a consumer’s online payment services in a regulated and secure way, with the consumer’s consent. The TTPs can then handle different finance services for consumers.

However, to give access to TTPs, banks will work with open APIs, which need to meet rigorous standards to protect the customers’ accounts.

On the other hand, the TTPs need to provide strong authentication to ensure a higher security level on the use of their applications whenever the customers access accounts information on make payments.

This document explains how CoffeeBean helps its clients achieve these two main points related to authentication and security: open APIs and strong authentication.

PSD2

AISP and PISP

Before enter the topic about open APIs and strong authentication, it is important to understand the two types of payment service providers to handle finances presented on the PSD2:

  • AISP (Account Information Service Providers): it is a provider that knows everything about bank customers’ accounts. This information can be used on analytical tools to track and study transactions or to collect behavioral user data that will help TPPs cater to more specific user wants and needs.

 

  • PISP (Payment Initiation Service Providers): this type of provider instructs a customer’s bank account to make payments. This leads to a much faster e-commerce, since the payment is direct.

Both providers, AISPs and PISPs, have direct access to the customer’s bank accounts through the bank’s open APIs that will be discussed on the next topic.

PSD2

AISP and PISP

Before enter the topic about open APIs and strong authentication, it is important to understand the two types of payment service providers to handle finances presented on the PSD2:

  • AISP (Account Information Service Providers): it is a provider that knows everything about bank customers’ accounts. This information can be used on analytical tools to track and study transactions or to collect behavioral user data that will help TPPs cater to more specific user wants and needs.

 

  • PISP (Payment Initiation Service Providers): this type of provider instructs a customer’s bank account to make payments. This leads to a much faster e-commerce, since the payment is direct.

Both providers, AISPs and PISPs, have direct access to the customer’s bank accounts through the bank’s open APIs that will be discussed on the next topic.

APIs

Open APIs

Before PSD2, banks in Europe only have internal APIs and offer services through their proprietary applications. Now, with the PSD2 regulation, these banks are going to create public APIs that third party applications can access to provide different types of services (AISP and PISP).

To avoid security risks and frauds, Account Servicing Payment Service Providers (ASPSPs) need to secure these financial services APIs.The best way to achieve such security level is using the authorization framework OAuth 2.0 with the additional OpenID Connect authentication layer.

  • OAuth 2.0 is an authorization framework that, on this context, can be used by the TPP to ask the user authorization grant to access some information on his bank account. During this process the user doesn’t have to reveal a password or any type of credential, the TPP will only get an access token from the API.
  • OpenID Connect is an authentication layer that extends OAuth 2.0 to check the user’s identity by an identity provider (IdP). If the user is authenticated, the IdP gives the TPP an identity token and access tokens that can then be exchanged for user resources.

CoffeeBean provides support and APIs to implement both, OAuth 2.0 and OpenID Connect flows.

APIs

Open APIs

Before PSD2, banks in Europe only have internal APIs and offer services through their proprietary applications. Now, with the PSD2 regulation, these banks are going to create public APIs that third party applications can access to provide different types of services (AISP and PISP).

To avoid security risks and frauds, Account Servicing Payment Service Providers (ASPSPs) need to secure these financial services APIs.The best way to achieve such security level is using the authorization framework OAuth 2.0 with the additional OpenID Connect authentication layer.

  • OAuth 2.0 is an authorization framework that, on this context, can be used by the TPP to ask the user authorization grant to access some information on his bank account. During this process the user doesn’t have to reveal a password or any type of credential, the TPP will only get an access token from the API.
  • OpenID Connect is an authentication layer that extends OAuth 2.0 to check the user’s identity by an identity provider (IdP). If the user is authenticated, the IdP gives the TPP an identity token and access tokens that can then be exchanged for user resources.

CoffeeBean provides support and APIs to implement both, OAuth 2.0 and OpenID Connect flows.

Strong Authentication

Strong Authentication

According to the PSD2 regulation, strong authentication means that transactions are authenticated using two or more from the three independent methods:

  • Knowledge: something the user knows (e.g. password, PIN)
  • Possession: something the user possesses (e.g. device, token)
  • Inherence: something the user is (e.g. fingerprint, face recognition)

CoffeeBean has a complete solution for strong authentication, which is composed of a Multi-Factor Authentication (MFA) solution,Authentication Intelligence and Adaptive Authentication.

 

This solution includes a module based on FIDO (Fast IDentity Online) to support Universal Authentication Framework (UAF), Universal Second Factor (U2F) and FIDO2 specifications. UAF leverages on biometrics (face, iris, fingerprint recognition, etc) to provide Passwordless capabilities with a high security level and U2F/FIDO2 allow authentication based on external hardware devices for maximum security in a MFA context.

Strong Authentication

Strong Authentication

According to the PSD2 regulation, strong authentication means that transactions are authenticated using two or more from the three independent methods:

  • Knowledge: something the user knows (e.g. password, PIN)
  • Possession: something the user possesses (e.g. device, token)
  • Inherence: something the user is (e.g. fingerprint, face recognition)

CoffeeBean has a complete solution for strong authentication, which is composed of a Multi-Factor Authentication (MFA) solution,Authentication Intelligence and Adaptive Authentication.

 

This solution includes a module based on FIDO (Fast IDentity Online) to support Universal Authentication Framework (UAF), Universal Second Factor (U2F) and FIDO2 specifications. UAF leverages on biometrics (face, iris, fingerprint recognition, etc) to provide Passwordless capabilities with a high security level and U2F/FIDO2 allow authentication based on external hardware devices for maximum security in a MFA context.

Identity and Access Platform for PSD2

Identity and Access Platform for PSD2

CoffeeBean Identity and Access Platform helps banks, TPPs, retails and any other business that need to follow this regulation in different levels by providing high standard technologies for open APIs, strong authentication and biometrics.

Besides the protocols for APIs and MFA for strong authentication, our solution provides authentication and transaction risk analysis, bringing an additional layer of security to your applications.

CoffeeBean’s platform secure manage users identity and collect data that can be used for Know Your Customer (KYC) solutions. It also integrates with SIEMs and threat intelligence services.

When managing identities and data, the solution facilitates the process of collecting, storing, and editing users consents, helping your business comply also with other privacy regulations, such as GDPR.

Contact us to discuss more on how CoffeeBean can help on your PSD2 project.

Identity and Access Platform for PSD2

Identity and Access Platform for PSD2

CoffeeBean Identity and Access Platform helps banks, TPPs, retails and any other business that need to follow this regulation in different levels by providing high standard technologies for open APIs, strong authentication and biometrics.

Besides the protocols for APIs and MFA for strong authentication, our solution provides authentication and transaction risk analysis, bringing an additional layer of security to your applications.

CoffeeBean’s platform secure manage users identity and collect data that can be used for Know Your Customer (KYC) solutions. It also integrates with SIEMs and threat intelligence services.

When managing identities and data, the solution facilitates the process of collecting, storing, and editing users consents, helping your business comply also with other privacy regulations, such as GDPR.

Contact us to discuss more on how CoffeeBean can help on your PSD2 project.