Menu Close Back

Mobile apps and PSD2 compliance: How Guardsquare can help

Mobile apps and PSD2 compliance: How Guardsquare can help

The digitization of financial services and the advent of open banking pose a series of game-changing implications for service providers and consumers alike. Correct compliance with the EU's revised regulatory framework, PSD2, is key for the successful transition of online payment service providers (i.e. banks and financial services firms) to API-led connectivity and a more competitive and innovative market. Guardsquare provides security solutions that fit within the Zero Trust security model and safeguard mobile apps against reverse engineering and hacking, as well as protect the RTS implementation requirements for PSD2 compliance. Our solutions also enable a Trusted Execution Environment for processing electronic payments on mobile devices. 

The following article sums up what PSD2 means for your apps and business, and how Guardsquare can help with compliance before the directive comes into full effect in all 28 EU member states on December 31st, 2020.

PSD2 

PSD2 revolutionizes online payments by giving banks and non-banking third party players (TPPs) access to consumer bank account information, while (1) enforcing higher security measures for consumer payments, (2) fostering innovation and (3) encouraging competition among all service providers. Complying with PSD2 regulations enables for the optimization and democratization of e-payment services, enhancement of customer experience and retention. As PSD2 grants new access rights to TPPs and banks, it also enforces stricter security measures to consumer account information.

In short, PSD2 is responsible for two key changes for which implementation requirements are defined by the Regulatory Technical Standards (RTS)

  1. Provisions on Strong Customer Authentication (SCA) for online payments to provide an increased level of security of electronic payments. For mobile and remote payments, SCA must additionally be ensured by using a unique authentication code to dynamically link the transaction to a specific amount and specific payee.
  2. Common and secure open standards of communication (CSC) to safely share payment account data or initiate payment transactions, by (1) providing an API for secure information exchange and (2) adapting the customer online banking interface to provide access to TPPs.

How can Guardsquare help? 

Protecting your financial transactions at the app level is the most effective way to prevent unauthorized access to your application’s services. As the global reference in mobile application security, Guardsquare provides software that protect SCA implementation and enable a Trusted Execution Environment for processing electronic payments on mobile devices.

Our solutions fulfill PSD2/RTS implementation requirements by correctly applying hardening techniques at critical code locations through:  

  • Application and code integrity, to ensure the overall integrity of banking apps and SDKs.
  • Environment integrity of the device(s) on which apps are run, via root/jailbreak, hook and debugging detection.  
  • Code obfuscation techniques, in order to protect against reverse engineering and tampering during electronic/online payments.
  • Asset/resource encryption, to ensure the protection of app assets/resources including certificates, configuration files, etc.
  • Device fingerprinting, to safely and uniquely identify mobile devices.
  • Hardened SSL pinning, to ensure apps communicate with the intended servers.

Each technique enables for PSD2 compliance specifically through their fulfillment of RTS Article 4/3(c)678921/2(a) and  22/1(b), as shown below:

PSD2 compliance with Guardsquare

Conclusion 

As mobile applications become a critical part of financial infrastructures, app security and compliance become imperative for any successful IT security model today, such as Zero Trust. Our software (DexGuard, iXGuard) help ensure the overall effectiveness of your IT security architecture by safeguarding your mobile endpoint. Ensuring app and platform integrity, through preventing reverse engineering and hacking, is also vital in protecting multiple points discussed in PSD2. 

Our technical solutions fulfill specific PSD2/RTS requirements, such as obfuscation of critical code and resources used for unique identification, to prevent replication of the information used to uniquely identify the device; Software and platform integrity testing, to ensure a trusted/secure execution environment; Device fingerprinting, to prevent that the device hosting the app is used by an unauthorised person; SSL pinning, to protect communications to the backend from eavesdropping or interception.