Securiti AI Launches Context-Aware LLM Firewalls to Secure GenAI Applications
View
Digital commerce is one of the largest growing markets in the world, with an expected total transaction value of US$6.03tn in 2023, as statistics claim. These statistics illustrate the reality of how money flows across the globe today. As a result, regional regulatory authorities have enacted regulations and standards to establish guardrails for customers’ financial data. These legal provisions and frameworks further hold financial services, payment services, and banking institutions accountable for customer data protection and privacy.
The Revised Payment Services Directive (PSD2) is one such regulation that aims to make electronic payments safer while contributing to the integrated electronic payment market. One key aspect that makes PSD2 a fairly distinct yet much-needed regulatory framework in the current era is the regulation of open banking practices. After all, third-party access to sensitive bank account credentials is a serious concern among many consumers, although it is necessary for innovation.
Read on to explore more about PSD2 compliance, the regions and businesses it impacts, its primary regulatory requirements, and what businesses must do to ensure compliance.
PSD2 stands for the second or revised Payment Services Directive regulation. It is the amended version of the initial PSD regulation, which took effect in 2007, seeking to unify the European Union (EU) payment market and to regulate payment services and payment service providers. Subsequently, the retail payments market has witnessed notable technological innovation, marked by a swift increase in electronic and mobile payments, along with the emergence of new payment services in the marketplace. These developments pose challenges to the existing framework. The PSD underwent revisions in 2009, focusing on charges related to cross-border and national payments in euros. Furthermore, in 2012, additional updates were made to regulations on cross-border payments and multilateral interchange fees.
The proposed amendments (PSD2) were introduced in 2013 by the European Commission, seeking to enhance the initial objectives while proposing improvements for customer protection, increased business competition, promoting a level-playing field, and reinforcing payment transaction security.
After multiple extensions to the enforcement deadline, PSD2 became applicable in January 2018. At its core, the regulation introduces some important business-focused regulatory standards: Strong Customer Authentication (SCA), open APIs for third-party access, increased transparency, quick resolution for customer complaints, and removal of credit card surcharges.
Here’s a quick look at the complete PSD2 timeline from its inception to its enforcement:
2007 - The first Payment Services Directive went into effect. The directive establishes rules for all types of electronic and non-cash payments across the European Economic Area.
2013 - A proposal for the second Payment Services Directive (PSD2) was proposed by the European Commission (EC) to fulfill the demand for new types of payment services or modes.
2015 - The EU adopted PSD2 to improve the existing rules and take new digital payment services into account.
2018 - PSD2 became applicable. It includes provisions to facilitate and secure internet payment services, protect consumers from fraud and payment issues, encourage innovation in mobile and internet payments, reinforce consumer rights, and enhance the European Banking Authority's (EBA) coordinating role in supervisory coordination and technical standard drafting.
2019 - Strong Customer Authentication (SCA) requirements of PSD2 came into force.
PSD2 applies directly to payment services providers, including banking institutions and payment processors operating in the European Economic Area (EEA). However, the regulation may have a far-reaching application, including organizations outside the EU. For instance, multi-national organizations that have operations in the EU are impacted by PSD2. Similarly, businesses that have transactions with EU citizens or those that collect and process the payment transactions of EU citizens from outside the EU.
It is also critical to note that businesses with regional units in the EU member nations must ensure their regional units are PSD2 compliant. In case of non-compliance, organizations may face continuous disruption with payment transactions or authorizations. This raises legal concerns and may cause significant dissatisfaction among customers.
As mentioned above, businesses are obliged to comply with the regulation to ensure compliance and prevent any legal consequences. PSD2 compliance further promotes trust amongst consumers as it demonstrates an organization's practices and policies regarding customers’ data protection and privacy. Apart from compliance, there are a number of other benefits that businesses reap with PSD2 compliance.
For instance, PSD2 provides businesses with a robust mechanism to enable customer data protection. Strong Customer Authentication (SCA) is an optimal mechanism for protection against fraud and unauthorized access to sensitive assets, such as bank accounts. By demonstrating compliance, businesses can reassure their customers that their transactions and financial data are fully protected
Similarly, with provisions concerning open APIs, PSD2 opens doors to more business opportunities. These APIs allow Account Information Service Providers (AISPs) to access customers’ data once their consent is obtained. With access to customer data, businesses can widen their intelligence around customer insights to improve product experiences, decision-making, and service offerings.
All in all, compliance with the Payment Services Directive isn’t just a legal requirement. In fact, it is a strategic move to foster innovation and open doors to increased business opportunities. It can help businesses rise and stay at the top of the competitive digital payment market.
Let’s look at the topmost important requirements mentioned in the Directive.
Provisions related to consent are provided under Article 64 of the Directive. The Directive gives more control to consumers when it comes to payment authorizations. Payment transactions are authorized only when the payer (payment service users or consumers) explicitly consents to the transaction. The regulation leaves the decision regarding the consent mode up to the payer and the payment service provider. However, the payment transaction may be authorized by the payer either before or after the transaction. In the absence of valid consent, a payment transaction will be considered unauthorized. Consent may also be withdrawn at any given time by the payer; however, once a payment order has been received by the payer's payment service provider, the payment service user cannot revoke it. Withdrawal of consent for a series of payment transactions renders any future transactions unauthorized.
Payment initiation services (PIS) enable users to initiate payment transactions directly from their bank accounts, bypassing the need for credit or debit cards. Through a secure channel provided by third-party payment service providers (PSPs), consumers authorize payments to merchants or other service providers.
Under Article 66 of the Directive, these service providers shall:
An account information service is a type of regulated service that provides consolidated information on payment accounts held by a payment service user with various payment service providers. It enables users and businesses to get a global view of their data by aggregating it in a single place. Article 67 of the Directive gives clear guidelines with respect to access rules. The Account Information Service Providers shall:
To seek authorization as a payment institution, an application must be submitted to the competent authorities of the home Member State. The application should include a security policy document comprising a thorough risk assessment related to payment services and a description of security controls and mitigation measures to safeguard payment service users from identified risks, such as fraud and illegal use of sensitive data. The document must outline the applicant's assurance of maintaining a high level of technical security and data protection, encompassing software and IT systems used by the applicant or any outsourced entities handling its operations.
In the event of a significant operational or security incident, payment service providers must, without undue delay, notify the competent authority in their home Member State. If the incident affects the financial interests of payment service users, the provider must, without undue delay, also inform users of the incident and suggest measures to mitigate its adverse effects. Upon receiving this notification, the competent authority of the home Member State must expeditiously share relevant details of the incident with the European Banking Authority (EBA) and the European Central Bank (ECB). Additionally, after evaluating the incident's relevance, the competent authority notifies other relevant authorities in that Member State without undue delay.
According to Article 21 of PSD2, Member States shall require payment institutions to maintain all relevant records for a minimum period of five years.
The Directive sets out strict provisions for streamlining digital payments and protecting payers' financial information. The Strong Customer Authentication (SCA) provision is laid out in Article 97 of the Directive. Regarding the initiation of electronic payment transactions, member states are required to ensure that, for electronic remote payment transactions, payment service providers implement robust customer authentication. This authentication process should include elements that dynamically connect the transaction to a specific amount and a designated payee. The provision goes beyond the traditional credit card validation (CCV) authentication, requiring a stronger authentication mechanism. Here, multi-factor authentication comes into play.
Multi factor Authentication (MFA) provides an added layer of security, further ensuring that the person trying to access the account or making the transaction is indeed the rightful owner. The Directive defines SCA as authentication that is based on two or more components that can be used for login. These components are designed to operate independently, ensuring that a breach in one component does not undermine the reliability of the others. Moreover, the design is specifically structured to safeguard the confidentiality of the authentication data. These components include
Member States must guarantee that a payment service provider implements robust customer authentication when the payer:
(a) Accesses its payment account online;
(b) Initiates an electronic payment transaction;
(c) Performs any action through a remote channel that may pose a risk of payment fraud or other abuses.The authentication is generally done through encrypted APIs and channels to enhance the security of payment transactions.
PSD2 provides a flexible provision when it comes to penalties for non-compliance. Article 103 of the Directive allows Member States to define their respective rules for penalties in case of violation of the national law transposing the directive and shall take necessary measures for their implementation. These penalties shall be effective and proportionate to the violation. Moreover, any violation or infringement must also be publicly disclosed unless the disclosure would cause a disruption in the financial market or disproportionate damages to the parties involved.
PSD2 fosters open banking, requiring banking institutions to link their services with third-party providers. While open banking may promote enhanced customer experience and seamless payment transactions, it also risks customers’ financial sensitive data.
PrivacyOps, an integration of Securiti’s Data Command Center, enables banks and financial institutions to protect their customers’ sensitive data while meeting compliance in a unified fashion. The solution can help get a unified view of all your sensitive data across all clouds, enabling you to classify data, link financial data to consumers, identify risks, and implement robust security, governance, and compliance controls.
Request a demo to see Securiti PrivacyOps in action.
Get all the latest information, law updates and more delivered to your inbox
May 2, 2024 knowledge-center
Here’s what you should know about automated decision-making under GDPR and the best practices to ensure compliance with the relevant regulatory requirements.
April 3, 2024 knowledge-center
Find out about SOC 2 compliance, who are able to conduct internal audits, and the steps required to be in compliance with the security...
March 20, 2024 knowledge-center
Learn how to ensure CAN-SPAM Act compliance, whom it applies to, key provisions, and best practices, and avoid noncompliance penalties.
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2024 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128
