Back to: Blog Author: Piotr Pawłowski Published on: November 1, 2023

PSD2 and Data Security: What You Need to Know


The financial industry is undergoing a significant transformation, propelled by technological advancements and regulatory changes. The Revised Payment Services Directive (PSD2) is at the forefront of this transformation, aiming to create a more integrated, competitive, and secure European payments industry. A critical aspect of PSD2 is its focus on enhancing data security, particularly for Account Information Service Providers (AISPs) and other financial entities. This article delves into the technical aspects of PSD2’s data protection and security measures, providing examples, names, and suggestions of technical solutions to help entities comply with these rigorous standards.

Understanding PSD2’s Security Mandates

PSD2 has introduced several security requirements to protect user data and ensure the integrity of financial transactions. These include Strong Customer Authentication (SCA), secure application programming interfaces (APIs), and robust data encryption.

Strong Customer Authentication (SCA)

SCA requires at least two out of three authentication elements for accessing financial data and initiating transactions: something the user knows (knowledge), something the user possesses (possession), and something the user is (inherence).

  • Example: A customer wants to access their account information through a mobile banking app (an AISP). To authenticate, they must provide their password (knowledge), a one-time passcode sent to their mobile device (possession), and their fingerprint (inherence).
  • Technical Solutions:
    • Multi-factor authentication solutions such as Duo Security or RSA SecurID
    • Biometric authentication systems, like fingerprint or facial recognition scanners
Secure Communication

PSD2 mandates that all communication between entities, including AISPs, PISPs, and banks, be secured to protect data in transit.

  • Example: An AISP requests account information from a bank on behalf of a user. The communication between the AISP and the bank’s API must be encrypted using Transport Layer Security (TLS) to ensure data security.
  • Technical Solutions:
    • TLS for secure data transmission
    • OAuth 2.0 for secure authorization
    • API gateways like Kong or Apigee to manage and secure API access
Data Encryption

Under PSD2, financial entities must ensure the confidentiality and integrity of stored user data through robust encryption techniques.

  • Example: An AISP stores user account information for quicker access. This data must be encrypted at rest using algorithms like Advanced Encryption Standard (AES) to protect it from unauthorized access.
  • Technical Solutions:
    • Disk encryption tools like dm-crypt for Linux or BitLocker for Windows
    • Database encryption solutions such as MongoDB’s Encrypted Storage Engine or Microsoft SQL Server’s Transparent Data Encryption (TDE)

Enhancing Data Security: Best Practices and Recommendations

To comply with PSD2’s security mandates and ensure the protection of user data, financial entities, including AISPs, should adopt a comprehensive approach to data security.

Regular Security Audits and Vulnerability Assessments
  • Conducting regular security audits and vulnerability assessments helps identify and mitigate potential security risks.
  • Technical Solutions:
    • Automated vulnerability scanners like Nessus or OpenVAS
    • Penetration testing tools such as Metasploit or Burp Suite
Strong Access Controls and Authentication Policies
  • Implementing strong access controls and authentication policies ensures that only authorized personnel have access to sensitive data.
  • Technical Solutions:
    • Identity and Access Management (IAM) solutions like Okta or Microsoft Azure Active Directory
    • Role-Based Access Control (RBAC) to define and assign access permissions based on user roles
Secure Software Development Life Cycle (SDLC)
  • Adopting a secure SDLC ensures that security is integrated into the software development process, from design to deployment.
  • Technical Solutions:
    • Static Application Security Testing (SAST) tools like Veracode or Checkmarx
    • Dynamic Application Security Testing (DAST) tools such as OWASP ZAP or Acunetix
Data Anonymization and Tokenization
  • When possible, financial entities should anonymize or tokenize user data to reduce the impact of potential data breaches.
  • Technical Solutions:
    • Data anonymization tools like ARX Data Anonymization Tool
    • Tokenization solutions such as TokenEx or Bluefin
Incident Response and Data Breach Preparedness
  • Having a well-defined incident response plan and being prepared for potential data breaches are crucial for minimizing the impact of security incidents.
  • Technical Solutions:
    • Incident response platforms like TheHive or IBM Resilient
    • Security Information and Event Management (SIEM) systems such as Splunk or LogRhythm for real-time analysis and alerting

PSD2 has set a new standard for data security in the financial industry, mandating stringent security measures to protect user data and ensure the integrity of financial transactions. By implementing strong customer authentication, secure communication, data encryption, and adopting best practices for data security, AISPs and other financial entities can comply with PSD2’s requirements and foster a secure and trustworthy digital financial ecosystem. As technology continues to evolve, staying vigilant and proactive in enhancing data security will remain paramount in the ever-changing landscape of financial services.

Work with the best experts in the fintech industry!

Do you have a project in mind?

Let's talk